Maintaining backup of logs and restore in to new wazuh cluster
56 views
Skip to first unread message
Tejo Sai
Mar 11, 2025, 4:27:50 AM3/11/25
to Wazuh | Mailing List
1. I am unable to create a index pattern "wazuh-archives-*"
2. This is a query: If i have a wazuh setup and I copy all those logs in to some disk or s3 to maintain a backup. can these backup logs be seen on wazuh dashboard on other setup? if yes how
Stuti Gupta
Mar 11, 2025, 5:15:20 AM3/11/25
to Wazuh | Mailing List
Hi Tejo
To create a wazuh-archive-* ndex pattern, please refer to https://documentation.wazuh.com/current/user-manual/manager/event-logging.html
Edit the Wazuh manager configuration file /var/ossec/etc/ossec.conf and enable logall and logall_json lke:
<ossec_config>
..
<logall>yes</logall>
<logall_json>yes</logall_json>
...
</ossec_config>
Restart the Wazuh manager to apply the configuration changes: systemctl restart wazuh-manager
Edit the Filebeat configuration file /etc/filebeat/filebeat.yml and change the value of archives: enabled from false to true:
archives:
enabled: true
Restart Filebeat to apply the configuration changes: systemctl restart filebeat
Click the upper-left menu icon to open the main menu. Expand Dashboard management and navigate to Dashboards management > Index patterns. Next, click Create index pattern. Use wazuh-archives-* as the index pattern name, and set timestamp in the Time field drop-down list.
For your second query, you need to first restore the backup on the other wazuh dashboard, for that you need to refer to https://documentation.wazuh.com/current/migration-guide/restoring/wazuh-central-components.html#restoring-old-logs. However, the problem is if you have one manager node setup(no cluster), you will not be able to see the old events in the threat hunting but you will be able to see them in the discover. No issue will happen if you have a cluster name as the cluster name will be the same.
Let me know if you need any further assistance!
To create a wazuh-archive-* ndex pattern, please refer to https://documentation.wazuh.com/current/user-manual/manager/event-logging.html
Edit the Wazuh manager configuration file /var/ossec/etc/ossec.conf and enable logall and logall_json lke:
<ossec_config>
..
<logall>yes</logall>
<logall_json>yes</logall_json>
...
</ossec_config>
Restart the Wazuh manager to apply the configuration changes: systemctl restart wazuh-manager
Edit the Filebeat configuration file /etc/filebeat/filebeat.yml and change the value of archives: enabled from false to true:
archives:
enabled: true
Restart Filebeat to apply the configuration changes: systemctl restart filebeat
Click the upper-left menu icon to open the main menu. Expand Dashboard management and navigate to Dashboards management > Index patterns. Next, click Create index pattern. Use wazuh-archives-* as the index pattern name, and set timestamp in the Time field drop-down list.
For your second query, you need to first restore the backup on the other wazuh dashboard, for that you need to refer to https://documentation.wazuh.com/current/migration-guide/restoring/wazuh-central-components.html#restoring-old-logs. However, the problem is if you have one manager node setup(no cluster), you will not be able to see the old events in the threat hunting but you will be able to see them in the discover. No issue will happen if you have a cluster name as the cluster name will be the same.
Let me know if you need any further assistance!
Tejo Sai
Mar 11, 2025, 7:03:33 AM3/11/25
to Wazuh | Mailing List
Hello Stuti,
after restarting the manager and the file beat, when i am trying to create a index pattern I am getting this error
This is the process I have done but still i am facing the issue creating index. Can you please help me out?
As you said, I have already done the required configurations in the ossec.conf file as mentioned in the ss below.
also changes to the filebeat.yml
after restarting the manager and the file beat, when i am trying to create a index pattern I am getting this error
This is the process I have done but still i am facing the issue creating index. Can you please help me out?
Stuti Gupta
Mar 18, 2025, 11:20:12 PM3/18/25
to Wazuh | Mailing List
Apologies for the delayed response,
Please make sure to restart the wazuh-manager and filebeat
For that, you can use the following command:
systemctl restart wazuh-manager
systemctl restart filebeat
In case this you are still facing the same issue, then please share the following log files
cat /var/ossec/logs/ossec.log
cat /var/log/filebeat/filebeat
Looking forward to your response
Please make sure to restart the wazuh-manager and filebeat
For that, you can use the following command:
systemctl restart wazuh-manager
systemctl restart filebeat
In case this you are still facing the same issue, then please share the following log files
cat /var/ossec/logs/ossec.log
cat /var/log/filebeat/filebeat
Looking forward to your response
Reply all
Reply to author
Forward
0 new messages