Move entire Indexes and logs to another location
ambuj pandey
Q1.. what will be the indexer IP?
Q2.. which username and password will be used to run the command?
Exp 1: Running on separate VM. which has the Public IP where the manager is running.
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1525/sshd: /usr/sbi
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 51307/node
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 591/systemd-resolve
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN 51868/wazuh-remoted
tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 51751/wazuh-authd
tcp 0 0 0.0.0.0:55000 0.0.0.0:* LISTEN 51710/python3
tcp6 0 0 :::22 :::* LISTEN 1525/sshd: /usr/sbi
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 4940/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 4940/java
udp 0 0 127.0.0.53:53 0.0.0.0:* 591/systemd-resolve
udp 0 0 22.222.1.8:68 0.0.0.0:* 589/systemd-network
udp 0 0 127.0.0.1:323 0.0.0.0:* 815/chronyd
udp6 0 0 ::1:323 :::* 815/chronyd
Exp 1: Which username and pass i have to use. For now i have only manager detail.
If we have to use elastic credentials. where i will find these.?
Thanks in advance for the support.
Md. Nazmur Sakib
Hi Ambuj Pandey,
Hope you are doing well. Thank you for using Wazuh.
From your description, I assume you're using Wazuh with elastic stack.
Check the Kibana configuration to find the credentials at
/etc/kibana/kibana.yml
Run the following command to test if it's working before moving to step 1. Confirm that you can establish a connection.
curl -k -u admin:admin https://<INDEXER_IP>:9200
Here indexer IP is your Elasticsearch IP. If you are trying to connect from another machine it will not work with the loopback address (127.0.0.1). If the IP is defined in the configuration for Elasticsearch the IP, it should be the IP of your host machine.
I will also suggest you go through the index lifecycle management policy, snapshot and restore options it might help you with your storage-related issue.
https://wazuh.com/blog/wazuh-index-management/
https://www.elastic.co/guide/en/elasticsearch/reference/7.17/snapshot-restore.html
I hope this information helps. Please let me know if you need any further information.
Regards
ambuj pandey
IN /etc/, kibana folder/file not exist.
ambuj pandey
Md. Nazmur Sakib
Hi Ambuj Pandey,
Hope you are doing well.
Can you share some details about your environment?
Which installation method did you follow during the set-up of your Wazuh Enviorment?
Ex: Wazuh manager with Elasticsearch Kibana or Wazuh manager with Wazuh indexer and dashboard, etc.
Is it all in one deployment or is it a distributed deployment?
The name of the operating system and the Wazuh manager version?
Please share this information so that I can guide you accordingly.
Regards
Md. Nazmur Sakib
ambuj pandey
· Step 1: sudo apt install vim curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg2
· Step 2: curl -sO https://packages.wazuh.com/4.4/wazuh-install.sh
· Step 3: sudo bash ./wazuh-install.sh -a
After that I recieve the user and pass.. Then login https://[ip-addres]/app/login
OS: Ubuntu "20.04.6 LTS (Focal Fossa)"
Wazuh Version: 4.4
Wazuh manager with Wazuh indexer and dashboard
Now my indices is stored in "/var/lib/wazuh-indexer/nodes/0/indices/"
We have to move the indices path to another mount point..
root@wazuh-mgr:/var/lib/wazuh-indexer/nodes/0/indices# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 63.5M 1 loop /snap/core20/2015
loop1 7:1 0 91.9M 1 loop /snap/lxd/24061
loop2 7:2 0 40.9M 1 loop /snap/snapd/19993
loop3 7:3 0 40.9M 1 loop /snap/snapd/20092
sda 8:0 0 30G 0 disk
├─sda1 8:1 0 29.9G 0 part / (Default indices path)
├─sda14 8:14 0 4M 0 part
└─sda15 8:15 0 106M 0 part /boot/efi
sdb 8:16 0 8G 0 disk
└─sdb1 8:17 0 8G 0 part /mnt
sdc 8:32 0 32G 0 disk
└─sdc1 8:33 0 32G 0 part /datadrive. (New Partition)
We have to move at that path.
"Please let me know, if any more data required."
Md. Nazmur Sakib
Hi Ambuj Pandey,
As you are using the Wazuh indexer with the Wazuh Dashboard
Go to indexer configuration:
vi /etc/wazuh-indexer/opensearch.yml
Instead of the local host (172.0.0.1). Set the IP address of network.host to the IP address of your server.
Ex:
network.host: "192.168.*.*"
Now go to the dashboard configuration and update the IP address of the indexer there.
vi /etc/wazuh-dashboard/opensearch_dashboards.yml
opensearch.hosts: https://192.168.*.*:9200
Restart the wazuh-indexer wazuh-dashboard and wazuh-manager
systemctl restart wazuh-indexer
systemctl restart wazuh-dashboard
systemctl restart wazuh-manager
Now run the following command.
curl -k -u admin:YourAdminPassword https://192.168.**.***:9200
And about the document. The previous document was for Kibana. Wazuh dashboard is based on the OpenSearch dashboard.
Check this document to learn about snapshot and restore:
https://opensearch.org/docs/1.2/opensearch/snapshot-restore/
In this way, you can take snapshots of your old indices and store them in a mounted shared file system and restore them when needed. Check the shared file system
Check this document to learn about Index State Management
https://opensearch.org/docs/latest/im-plugin/ism/index/
I hope this helps. Let me know if you need any further information.
Regards
Md. Nazmur Sakib
ambuj pandey
Even, discover "wazuh-alerts-*" also not showing in the portal.
I am able to receive a log in wazuh server alert log (/var/ossec/logs/alerts/alerts.json), But not showing in UI.