Wazuh CCR FailBack

28 views
Skip to first unread message

Emar Flix

unread,
Feb 24, 2026, 6:12:03 AM (yesterday) Feb 24
to Wazuh | Mailing List
Hello everybody,

I configure Cross-Cluster Replication (active-passive) between my PR and DR clusters. Now everythink is perfect that I can replicate PR logs to DR  indexers and when my PR crush I can make DR indexers writable (failover).
But yyou know I get logs to DR for few days and after my PR came back these logs store only DR indexers. It means my FailBack scenario is not good. Now I think about how to get that few days logs from DR to PR.

what is best practice for this?

thank you very much.

Pedro Maximiliano Tolosa

unread,
Feb 24, 2026, 10:38:32 AM (yesterday) Feb 24
to Wazuh | Mailing List

Hi Emar,

This is expected behavior. CCR is unidirectional, so when you made DR writable during the failover those indices became independent — they stopped being follower indices. When PR came back, CCR resumed replicating PR → DR normally but had no way to know about the gap.

To recover those logs you need to reindex from DR back into PR manually. First add DR to the remote whitelist in PR's opensearch.yml:

reindex.remote.whitelist: "<DR_HOST>:9200"

Then trigger the reindex from PR scoped to the gap period:

POST https://<PR_INDEXER>:9200/_reindex?wait_for_completion=false { "source": { "remote": { "host": "https://<DR_INDEXER>:9200", "username": "elastic", "password": "<DR_PASSWORD>" }, "index": "wazuh-alerts-4.x-*", "query": { "range": { "@timestamp": { "gte": "<FAILOVER_START>", "lte": "<FAILOVER_END>" } } } }, "dest": { "index": "wazuh-alerts-4.x-<date>" } }

You can track progress with:

GET https://<PR_INDEXER>:9200/_tasks?actions=*reindex&detailed

If the gap is large, snapshot/restore from DR will be faster than live reindex.

Let me know if that works for you

Regards

Pedro Tolosa - Cloud ops
Wazuh

Emar Flix

unread,
6:29 AM (16 hours ago) 6:29 AM
to Wazuh | Mailing List
Thank you for your answer, Pedro.
I have 3 indexer node in PR and 3 in DR. Do I must add all DR's indexers to all PR's indexers reindex.remote.whitelist?

Pedro Maximiliano Tolosa yazdı, 24 fevral 2026, çərşənbə axşamı, 19:38:32 UTC+4:

Pedro Maximiliano Tolosa

unread,
10:16 AM (12 hours ago) 10:16 AM
to Wazuh | Mailing List

Hi Emar,

No, you only need to add it on the PR node where you will send the reindex request, not on all of them. The whitelist is checked by the node receiving the API call, so one node is enough. If you're not sure which one, just pick the coordinating node or whichever you normally use for API calls.

Best regards

Reply all
Reply to author
Forward
0 new messages