Urgent Assistance Needed: Migration of Wazuh + Elastic Stack Configuration, Data, and Retrieval of Old Alert Logs

[Vyom Thaker]

Dear Team,

I hope this email finds you well. I am writing to seek your guidance and assistance in migrating my Wazuh + Elastic Stack configuration, including all associated data such as dashboards, saved queries, and alert logs, to a new server. My current setup consists of Elasticsearch, Kibana, Filebeat, and Wazuh Manager. However, due to a change in my operating system, I need to transfer the entire configuration to a different server.

To ensure a smooth migration, I kindly request your guidance on the best approach to transfer the Kibana data, including dashboards and saved queries, from my old server to the new one. Additionally, I am facing a challenge in retrieving the old alert logs which are located in ""/var/ossec/logs/alerts/2023/"" from my previous server. These logs are crucial for historical analysis and maintaining a comprehensive security record and also I need the old indexes present at the old server. Therefore, I would greatly appreciate your guidance on the most efficient and effective method to obtain and import these alert logs into my new environment.

Any instructions, recommendations, or best practices you can provide regarding the migration process, including data transfer and retrieving old alert logs, would be immensely helpful. I understand that the process may involve exporting and importing data, as well as transferring relevant files. Preserving the integrity and continuity of my data and configurations is of utmost importance to me.

Thank you very much for your time and support. I eagerly await your response and guidance on this matter.

[Ian Yenien Serrano]

Hello Vyom Thaker, thank you for using Wazuh,
I understand that you want to change the server where Wazuh is located and keep all the settings, right?

Do you want to continue using Kibana or do you want to migrate to Wazuh Dashboards?

[Vyom Thaker]

Gentle Reminder !!!!

[Ian Yenien Serrano]

Hello, 3 days ago I asked you a question to see if I understood you correctly and to get some more information to help you.

[Vyom Thaker]

Hello Ian,

Yes I want to continue the use of kibana in my infra. All my component will be the same I just want to change the OS for compliance reason.

So guide me with the process.

[Ian Yenien Serrano]

I understand, can you tell me which OS you want to migrate to and from which OS?

[Vyom Thaker]

I want to migrate from the Centos 7 to Oracle 8.6 

[Ian Yenien Serrano]

I was investigating the compatibility of the stack with the operating system you mention and apparently Filebeat in the version used by Wazuh (7.10.2) is not supported in that operating system, in the elastic page they say that you can install Kibana in Oracle Enterprise, so there is no guide on how to install the stack in Oracle 8.6, and in Wazuh we don't have a guide for Oracle either. 

Support matrix Elastic

https://www.elastic.co/support/matrix

Install Kibana 

https://www.elastic.co/guide/en/kibana/7.17/rpm.html#rpm

Support Wazuh

https://documentation.wazuh.com/current/installation-guide/wazuh-server/index.html#recommended-operating-systems

On the other hand, to make the migration you would have to backup everything you want in the new distribution and restore the data.

Backup Wazuh

https://documentation.wazuh.com/current/user-manual/files-backup/wazuh-central-components.html

[Vyom Thaker]

Thanks for your guidance,

I reviewed your reference links and i think I can go for Oracle Linux 7.9 for the compatibility, but the thing is after taking backup and installing on new server how to retrive old logs and kibana data? Can you guide me with that.

[Ian Yenien Serrano]

For that you can look in the Elastic documentation, this link may help you.

https://www.elastic.co/guide/en/elasticsearch/reference/current/snapshot-restore.html

[Vyom Thaker]

Thanks 

We will check it out