Wazuh Backup

[Sushan Kunwar]

Dear Wazuh Teams,

I have few questions regarding wazuh logs and alerts backup. Since I am monitoring my few servers in production with wazuh-agent and wazuh-manager. Using wazuh has centralized the logs from different server into one server(wazuh-manager). Now,  I have to keep the backup of centralized logs. 

So, my question what is the best way to backup wazuh logs and alerts? How you guys are backing up these alerts and logs? Do I need to take backup of elastic server as well?

Please provide me some ideas.

Thank you

[Alexander Bohorquez]

Hello Sushan,

Thank you for using Wazuh!

Happy to help you here, 

The Wazuh Manager stores alerts from previous days in a compressed manner, those alerts are located at: /var/ossec/logs/alerts/year/month/ossec-alerts-day.json.gz

If you want to make a backup of these alerts, it would be enough to copy them or move them to an external storage.

Something to highlight is that if the alerts were already indexed to Elasticsearch, these that remain in the manager would already be a backup. Because if there is a problem in Elasticsearch we could re-index these alerts again with the help of a recovery script. I leave you a blog that explains all this procedure and obtains information of your interest:

https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/

On the other hand, Elasticsearch also allows us to take backups.

A snapshot is a backup taken from a running Elasticsearch cluster. You can take snapshots of an entire cluster, including all or any of its indices.

Here there is also a blog that explains how to achieve this.

https://wazuh.com/blog/index-backup-management/

I hope this information helps, please let me know if you have any other questions. 

Regards.

Alexander Bohorquez