Make use of Snapshot Backup Restore & Purging of Old Indices

[Khul Sat]

Greetings!

I am looking for a solution which would help me achieve following -

• Local log retention - 90days
  

• Older than 90 days but newer than 365 days - S3 bucket
  

• Older than 365 days -  Glacier

I checked following two blogs -

https://wazuh.com/blog/index-backup-management/

https://wazuh.com/blog/wazuh-index-management/

It seems to be the blogs are not updated for a latest version. I am currently on Wazuh 4.7.
Please someone guide me in accomplishing this goal.

Thanks,KS

[Md. Nazmur Sakib]

Hi Khul Sat,

You can follow these document


https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/migrating-wazuh-indices.html

https://opensearch.org/docs/latest/tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore/

Let me know if you need any further assistance.

[Khul Sat]

Hi Md. Nazmur Sakib,

Thanks for your reply. Few questions I have though -

1. For ILM, isn’t there a need to make changes in filebeat configuration for policy to get applied to all future indices? I think this part is missing in the document?!?
2. For Snapshots, if I want to use s3 bucket, what would be the steps? I got some idea from the blog mentioned earlier, but one challenge I suspect w.r.t. short term credentials. Is there anything which can be done?

Regds,KS

​

[Khul Sat]

Any comments/suggestions? Please?

[Md. Nazmur Sakib]

To use an Amazon S3 bucket as a snapshot repository, install the repository-s3 plugin in your indexer node. We do not have any official document on this but you can follow this document from the Opensearch.

https://opensearch.org/docs/latest/tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore/#amazon-s3

Let me know if this works for you.