wazuh upgrade to 4.7 from 4.2.5

[Narasimha Daarapureddy]

hello everyone,

i wanted to migrate the old data to the new wazuh server(4.7) if i move the indices to the new server does it work?

please give me a suggestion to do this in the best possible way.

thank you.

[Lucas Esteban Pedrosa]

Hello, Narasimha

For a proper migration, just moving the indices wouldn't be good, as the index files themselves can be different from a version to another. What you need to do is migrating the index contents, thus generating new indices with the same information. This can be done in a number of ways.

Probably, the simplest option in your case will be to generate the new indices not from your old indices, but from the alert log files. This will work if you still have all the alert logs under /var/ossec/logs/alerts for the length of time that you're interested in migrating. To do this, you'd first copy all logs under that path to the new server and then follow the procedure described here:

https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/

This involves setting up a script that will process all your alert logs and produce new indices with them. The process may take some time, so you'll be using nohup to allow your user to log out while the process keeps running. This script allows you to specify the start and finish dates, so you can do it in parts if you prefer. With this method, though, the new index files will have current dates. This will not affect the alert time stamps, but you may want to take it into account if you are using an index retention policy.

If you want to migrate the information directly from your indices, be it because you don't have the old alert logs or for any other reason, you can follow this guide:

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/migrating-wazuh-indices.html

With this, you'd be creating a snapshot from your old indices to a shared file system. Then, you'd be restoring this snapshot into your new indices. This has the advantage that your index files will retain their original time stamp. The choice of using a shared file system does not represent the only option in this case, as you could be using a cloud snapshot in an S3 bucket just as well. In any case, this process can take some time as well, so make sure you can allow your server that time to process the indices.

Hope this is of good use to you. Regards,

Lucas

[Narasimha Daarapureddy]

Hi Lucas,

ive created a backup and pushed them to the new server,

but i can see those alerts in the opendistro discover not under the agent security events,

what should i do to push them into the agent security events?

waiting for your reply thanks.

[Muhammad Mustafa Kamal Malik]

Hi Lucas,

I tried the 2nd option (migrating using snapshots). Unfortunately, i am unable to see the previous alerts in my dashboard. I checked the /var/ossec/logs/alerts/ folder and the .log files on the previous server and the new server (on which snapshot was imported) are totally different. I just want to migrate my alerts from my previous server to the new one and i can't. Kindly help me with this.