Cluster management

The cluster_control tool allows you to obtain real-time information about the cluster health, connected nodes, and the agents reporting to the cluster. This information can also be obtained using the ThreatLockDown API cluster endpoints.

For example, the following snippet shows the connected nodes in the cluster:

# /var/ossec/bin/cluster_control -l
NAME      TYPE    VERSION  ADDRESS
worker-1  worker  4.9.0    172.17.0.101
worker-2  worker  4.9.0    172.17.0.102
master    master  4.9.0    172.17.0.100

This information can also be obtained using the ThreatLockDown API endpoint GET /cluster/nodes:

# curl -k -X GET "https://localhost:55000/cluster/nodes?pretty=true" -H  "Authorization: Bearer $TOKEN"
{
    "data": {
        "affected_items": [
            {
                "ip": "192.168.56.103",
                "version": "4.9.0",
                "type": "worker",
                "name": "node02",
            },
            {
                "ip": "192.168.56.105",
                "version": "4.9.0",
                "type": "worker",
                "name": "node03",
            },
            {
                "ip": "192.168.56.101",
                "version": "4.9.0",
                "type": "master",
                "name": "node01",
            },
        ],
        "total_affected_items": 3,
        "total_failed_items": 0,
        "failed_items": [],
    },
    "message": "All selected nodes information was returned",
    "error": 0,
}

If you want to see more examples and check all its options, refer to the cluster_control manual or the cluster endpoints.

Upgrading from older versions

If you already have a cluster installation from a version older or equal to 3.2.2, you should do some changes to your cluster configuration:

  • Remove <interval> section.

  • Remove worker nodes from <nodes> section. Only the master node is allowed.

The cluster will work with an old configuration but it is recommended to update it.