How to Migrate Wazuh Master from one server to another Server

[Ranjith Kesavan]

Hello Team, 

We have a Wazuh cluster with one master and 3 worker servers and around 100 agents connected to the workers. Now we need to migrate the Wazuh master server to another host. Can you please help with the steps to be followed. 

I found the discussion Migration of Wazuh to antoher server (google.com) , but its from 2019. Do we still follow the same steps. is there any difference in the steps for new versions ? 

[Santiago Belluzzo]

Hey!
We have taken a look and the previous instructions still seem valid. We have compiled a better formatted of the instructions bellow so they are a bit easier to follow.

Hope this helps,
Santi.

It could be done by moving the configuration files of the managers but take into account that if you copy the directory to the new server and install from sources the startup services will not work. To migrate from Wazuh Manager to a new server follow these steps:

1. To avoid losing any information or configurations create a backup of the current Wazuh manager installation. To do this you can just create a copy of your installation directory ('/var/ossec' is the default installation directory).

2. Install Wazuh Manager in the new server. <Do not run the manager after installation>.

3. Copy the old configuration files to the new manager instance. Before you attempt restoration make sure the Manager is stopped in the new server.
    For MASTER only (if you have Wazuh installed in a different folder just change '/var/ossec/' to that):
    • copy <old-config-copy>/etc/client.keys /var/ossec/etc/

    For MASTER and WORKERS:
    • copy <old-config-copy>/etc/ossec.conf /var/ossec/etc/
    • copy <old-config-copy>/queue/rids/sender_counter /var/ossec/queue/rids/sender_counter

    If you have local changes to any of the 'internal_options', 'local_rules' or 'local_decoder' you should:
    • copy <old-config-copy>/etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf
    • copy <old-config-copy>/etc/local_decoder.xml /var/ossec/etc/decoders/local_decoder.xml
    • copy <old-config-copy>/rules/local_rules.xml /var/ossec/etc/rules/local_rules.xml

    If you are using centralized configuration you must:
    • copy <old-config-copy>/etc/shared/agent.conf /var/ossec/etc/shared/default/agent.conf
    If you have multiple groups configured you should also:
    • copy <old-config-copy>/etc/shared/ /var/ossec/etc/shared
    • copy <old-config-copy>/queue/agent-groups/ /var/ossec/queue/agent-groups/

    Optionally the following files can be restored to preserve alert log files and syscheck/rootcheck databases:
    • copy <old-config-copy>/logs/archives/* /var/ossec/logs/archives
    • copy <old-config-copy>/logs/alerts/* /var/ossec/logs/alerts
    • copy <old-config-copy>/queue/rootcheck/* /var/ossec/queue/rootcheck
    • copy <old-config-copy>/queue/syscheck/* /var/ossec/queue/syscheck

    Optionally if you want to keep the information about each agent original registration time you can:
    • copy <old-config-copy>/queue/agents-timestamp /var/ossec/queue/agents-timestamp

    As a final step make sure that all the copied over files have the correct ownership. You will need to set the user and group with 'chown' to be the same
    as in the current Wazuh installation (majority of them need to be owned by the 'wazuh' user and some need to also be owned by the 'wazuh' group).
    Failing to set that will probably result in some daemons not being able to access those files.

4. Start the new Wazuh Manager

5.No changes over the agents configuration will be necessary either if:
    • The IP of the new manager (Master or worker) you want the Agents to report to is the same as before.
    • You are using a load balancer, so the Agents do not communicate directly with the Manager.

    In case you are not using a Load Balancer and the IP of the manager (Master or worker) you want the Agent to report to has changed then you will need to update the MANAGER IP on the ossec.conf of every agent and restart them.
    You will find the MANAGER IP on the `<server>` section of `ossec.conf`:

    -------------------------
    <client>
      <server>
        <address>YOUR MANAGER IP (Master or Worker)</address>
      </server>
    </client>
    ---------------------------