Moved Elasticsearch Indices from one server to another, Kibana/Wazuh kind of working

[Robert H]

Hi 

I tried coping 2 months of data from one Wazuh/ELK standalone server to a different ELK-Wazuh stack.

I copied all the indices from /var/lib/elasticsearch/nodes/0/indices/ to the same directory in the new server which has ELK-Wazuh installed from 2 days ago.  There may have been some overlap where both systems where running 2 days ago for several hours.  I first received an elasticsearch error and it would not start.  I found that the directory ownership of all the copied files needed to be changed to elasticsearch:elasticsearch.  This then allowed elasticsearch to start.  I also saw that my api connection was for the old server.  So I removed it and added the new api info back in and it connects again.

On the Discover page I can select an expanded data range and I can see all the data from back 2 months ago.  However in the Wazuh app there is only new data from tonight after the migration.

Interesting, all the data is displayed on the OSSEC Dashboard page.  The timelion also shows all 2 months of data.

For the Wazuh App, on the Overview page, the Agent Status shows all the data, but nothing else on that page does.  Only for tonight since the migration.  Also the File Integrity shows nothing, and Policy Monitoring and PCI show only data from tonight.

Do you have a way I can fix this last part so it shows all old and new data?

Regards,

Robert

[jesusg...@wazuh.com]

Hi Robert, my name is Jesús and I'm going to help you with your problem. The indices seems to be copied properly since you are seeing data on the discover, timelion and OSSEC dashboard, so it says us that your Elastic is working fine. 

When you go to the Wazuh App we work with two index-patterns: wazuh-monitoring-* and wazuh-alerts-*, you are seeing agent status correctly due to it uses wazuh-monitoring-* index pattern, but you are not seeing the other fields due to they use wazuh-alerts-* index pattern. Please, can you check if the timefilter on the top right corner of the screen, where you can see the "Panels" and "Discover" buttons. If you are seeing "24 hours" click that and set "last 30 days" in order to ensure that we have enough old data to check if that's the problem.

Please let me know your app version and revision number:

- Click on the top right gear button (settings), and click on about section

- You should see something like "App version: 2.X.X", "Revision: 0XXX"

Hope it helps. 

Best regards, 

Jesús.

[Robert H]

Thanks Jesus,

Here are screen shots with the information.

Regards,

Robert

[jesus.g...@wazuh.com]

Hi Robert, just noticed about this because Gmail did want to put it on the spam I don't know why so sorry for the late response.

As I can remember you have participated on other threads and have installed Wazuh 3.x so I'm assuming this thread could be closed.

Any case let us know if you have any question regarding this thread or if you are facing any trouble. Have a nice day.

Best regards,

Jesús

[Robert H]

Hi Jesus,

Thanks for following up on it.  The time has passed on this, so I think yes, it can be closed.

Best regards,

Robert