Wazuh for Nostr Relay Operators Part 1

Wazuh is an open source security platform that is widely used and a mature project.

As a relay operator it makes the management of multiple relays much easier to manage the logs, alerting, and even enable active measures.

Wazuh can do many things depending on how it is deployed and in what environments. For this we'll only cover a small part that can apply to relay operators.

We'll assume you are using a relay that can create logs and something like nginx as a reverse proxy in front of it on a Linux based OS. Can adjust based on if using HAProxy or some cloud based load balancer.

Setup Wazuh Server, this should not be on the same machine as the relay runs so if only running a small relay from home or in a VPS you might want to run a VM at home with Wazuh Server.

There are many installation options.

Once have a Wazuh Server running you'll want to add the Wazuh Agent to your relay(s).

You want to be sure your nginx logs added to the agent configuration. As well as your relay logs depending on what relay you run (e.g. strfry, nostream, etc)

If running relay(s) in a cloud environment like AWS you can also feed those logs into Wazuh.

Active Response capabilities are a powerful tool for relay operators. You can script various things to happen based on log events or system calls.

You can add custom alerts in an agent config based on keywords. This is useful for errors but could also be based on repsonses in your relay policies like might use with strfry.

Example:

<var name="BAD_WORDS">error|warning|failure|severe</var>

<group name="syslog,errors,">
<rule id="100090" level="4">
<match>$BAD_WORDS</match>
<srcip>10.40.</srcip>
<description>Keyword error found.</description>
</rule>
</group>

In Part 2 of this series we'll give some examples of the above to help show how Wazuh can be configured for a multi-relay setup using Docker containers.