GrayLog Cluster with Wazuh Indexer & MongoDB

Dear Community,

My 1st Post here, after I read quite a lot of Docs and Guides, still have two important issues I hope will not take too much Time of yours.

I am incharge of building a SOC for several potential Customers of us, so kind as MSSP you could say.

In our planned Stack:

Wazuh with Wazuh Indexer (instead of ELK).

Debian 11 on Cloud, Ansible deployment.

What we would be happy to get your input about:

  1. It was clear after reading Guides and Docs that the Wazuh Indexer Cluster would be used for the Logs Storage, so Graylog > Wazuh Indexer. Lately I hear some voices that it is not a good practice. Y?

  2. I saw and read the GL Multi Node Guide, so, is this correct basic Cluster Setup, that will help us scale up rapidly when needed:

  • Wazuh Indexer 01

  • Wazuh Indexer 02

  • Wazuh Indexer 03

  • Graylog Server 01 (and inside MongoDB)

  • Graylog Server 02 (and inside MongoDB)

  • Graylog Server 03 (and inside MongoDB)

  • MongoDB ReplicaSet 01

  • MongoDB ReplicaSet 02

  • MongoDB ReplicaSet 03

So in total, GL Cluster has 6 Machines.

Is this the right direction?

P.S. I am aware it all depends on i/o, CPU, Ram, number of Logs ingested ect - but as the last Variable is still to be declared, for now am looking on the basic Cluster.

Thank you for any info !


Hello @4xekb

Looking over you layout , it looks good but Graylog from version 4.3 → 5 will be using Opensearch which is a fork from Elasticsearch. I have not worked with Wazuh to see if its compatable with Graylog after 5.0.

I would be curious to see this setup thou.

1 Like

Thanks @gsmith for your prompt reply.

As Wazuh Indexer is a Fork from OpenSearch, I am quite sure I saw somewhere the Compatability Matrix, I will look for it tomorow and post it here. If GL is not compatible with it, then we just use OpenSearch I guess.

In that case - then the first 3 Machines I wrote, so indexer01,02,03 will just be the 3 machines for Opensearch1, 2, 3 ?

Also, more important please, I just read again several mongoDB Docs but still am not sure about the Replica.

As you can see in my List, there are 3 GL Servers, which AFAIK each should have a MongoDB instance inside.

In addition, I also planned 3 Machines for 3 Replicas.

Is that correct? I mean - ReplicaSet01 is all the time replicated from the MongoDB Instance inside my GrayLog Server 01?

Hope my question makes sense and thanks again !


For graylog you will need to configure mongo nodes in the configruation file with the replica set name.
Might want to look here for a better idea.

Hemm, sorry, did not get ur point. I did read this Guide before, and still dont understand, also ur comment - what is not good in my Plan.

I have 3 Machines, each has GL Server + MongoDB.

Then I have 3 extra Machines, with Replica Set 01,02,03

What do i miss?

Hey @4xekb

Perhaps I can try to simplify it for you.

If I understand you correct, those first three /w Graylog nodes would be a replica set, you would have a primary and two secondary nodes, so your Graylog config file would show the following.


#mongodb_uri = mongodb://node1:27017,node2:27017,node3:27017/graylog?replicaSet=rs01

To add the other three you would need to find you primary MongoDb node and add them.


# Edit the Mongo configuration file.

vi /etc/mongod.conf
# Edit the following values in mongod.conf. 
# Replace with the fully qualified domain name of the current Mongo node, and mongoReplicaSet with your own.
  port: 27017
  replicaSetName: mongoReplicaSet


# Enter the following command to create the replica set.
> rs.initiate()

# Enter the following command to add other nodes, where the other node is named, 
# for example, "mongo-node-2" and the domain is
> rs.add("")

Verify the Replica Configuration

mongoReplicaSet:PRIMARY> rs.conf()
        "_id" : "mongoReplicaSet",
        "version" : 3,
        "protocolVersion" : NumberLong(1),
        "writeConcernMajorityJournalDefault" : true,
        "members" : [
                        "_id" : 0,
                        "host" : "",
                        "arbiterOnly" : false,
                        "buildIndexes" : true,
                        "hidden" : false,
                        "priority" : 1,
                        "tags" : {

                        "slaveDelay" : NumberLong(0),
                        "votes" : 1
                        "_id" : 1,
                        "host" : "",
                        "arbiterOnly" : false,
                        "buildIndexes" : true,
                        "hidden" : false,
                        "priority" : 1,
                        "tags" : {

                        "slaveDelay" : NumberLong(0),
                        "votes" : 1
                        "_id" : 2,
                        "host" : "",
                        "arbiterOnly" : false,
                        "buildIndexes" : true,
                        "hidden" : false,
                        "priority" : 1,
                        "tags" : {

                        "slaveDelay" : NumberLong(0),
                        "votes" : 1
        "settings" : {
                "chainingAllowed" : true,
                "heartbeatIntervalMillis" : 2000,
                "heartbeatTimeoutSecs" : 10,
                "electionTimeoutMillis" : 10000,
                "catchUpTimeoutMillis" : -1,
                "catchUpTakeoverDelayMillis" : 30000,
                "getLastErrorModes" : {

                "getLastErrorDefaults" : {
                        "w" : 1,
                        "wtimeout" : 0
                "replicaSetId" : ObjectId("5d1e36618481a2906eb97171")

This is found here.

If you need all 6 MongoDb instance to work together (cluster) then there will be a primary and secondary instances.

OR if those Graylog server /w Mongo are separtate and your trying to use the replicate set for backup you may want to rethink you layout. It’s possible you could use a different database name for each one of the individual Graylog servers i.e., graylog1.db, graylog2.db,etc…


Actually there is someone here that used/using Wazuh, perhaps he could jump in.

Hey @4xekb

it’s a little off topic…
you wrote that you want to set up an MSSP with SOC. What are the use cases for WAZUH?

And a hint, from TheHIVE 5 you need an MSSP license. With the introduction of version 5, StrangeBee changed the license model.

Sure why not, so far the integration looks good, I am getting what I was looking to deploy.
user do message my personal message I replied with the environment that I am running
if required happy to help. it also helps different views of how people look to deploy.


Sorry i missed ur msg.

Wazuh is a very enriched Platform, SIEM/EDR and more. I actually used it in the past and was very happy with. The list is huge but basically deploy Wazuh on Agents, forward the Logs, FIM, Inventory, CVE Detection and much more.

Regarding the Hive5, yes i know, thanks, we should get a License soon .

Are u using similar Stack ?


Thanks for your answer.
I have built and managed a SOC in the government environment for several years and know the ups and downs :wink:
I had deployed QRadar as a large distributed system. At some point I stopped having fun with a closed proprietary system. The setting consisted of QRadar, TheHive, OpenCTI, MISP, OTRS and a lot of hand made (python-)applications.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.