Migrate wazuh-manager to different server
2,572 views
Skip to first unread message
josip....@gmail.com
May 6, 2019, 10:33:52 AM5/6/19
to Wazuh mailing list
Hello!
I'm in the process of migrating wazuh-manager to a different server. The one it's current on is not adequate anymore.
What steps would you recommend to safely migrate current configuration and all connected agents?
I'm running v3.8.2, all agents are connected to manager via it's IP and are managed by puppet.
So, I can change the IPs quite fast, and I can afford some downtime.
Would stopping the service and copying whole folder be /var/ossec enough?
Thank you for your time,
and for your wonderful product.
David José Iglesias Lopez
May 7, 2019, 5:00:52 AM5/7/19
to Wazuh mailing list
Hello Josip,
It is recommended to backup to /var/ossec but if you move the directory and install from sources the startup services will not work. To migrate from Wazuh Manager to a new server follow these steps:
1. Backup your files. To avoid losing any configuration, or agent keys, stop manager service and then make a copy of /var/ossec (default installation directory).
2. Install Wazuh Manager in the new server. Do no select to run Manager after installation.
3. Restore configuration. Before you attempt restoration make sure the Manager is stopped in the new server.
cp -p /var/ossec_backup/etc/client.keys /var/ossec/etc/
cp -p /var/ossec_backup/etc/ossec.conf /var/ossec/etc/
cp -p /var/ossec_backup/queue/rids/sender_counter /var/ossec/queue/rids/sender_counter
If you have made local changes to any of the following then also restore:
cp -p /var/ossec_backup/etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf
cp -p /var/ossec_backup/rules/local_rules.xml /var/ossec/etc/rules/local_rules.xml
cp -p /var/ossec_backup/etc/local_decoder.xml /var/ossec/etc/decoders/local_decoder.xml
If you have the centralized configuration you must restore:
cp -p /var/ossec_backup/etc/shared/agent.conf /var/ossec/etc/shared/default/agent.conf
Optionally the following files can be restored to preserve alert log files and syscheck/rootcheck databases:
cp -rp /var/ossec_backup/logs/archives/* /var/ossec/logs/archives
cp -rp /var/ossec_backup/logs/alerts/* /var/ossec/logs/alerts
cp -rp /var/ossec_backup/queue/rootcheck/* /var/ossec/queue/rootcheck
cp -rp /var/ossec_backup/queue/syscheck/* /var/ossec/queue/syscheck
4. Start Wazuh Manager service
5. Change agents ip address to point to new Wazuh manager ip and restart the agents.
I hope this helps.
Best regards,
David J. Iglesias
It is recommended to backup to /var/ossec but if you move the directory and install from sources the startup services will not work. To migrate from Wazuh Manager to a new server follow these steps:
1. Backup your files. To avoid losing any configuration, or agent keys, stop manager service and then make a copy of /var/ossec (default installation directory).
2. Install Wazuh Manager in the new server. Do no select to run Manager after installation.
3. Restore configuration. Before you attempt restoration make sure the Manager is stopped in the new server.
cp -p /var/ossec_backup/etc/client.keys /var/ossec/etc/
cp -p /var/ossec_backup/etc/ossec.conf /var/ossec/etc/
cp -p /var/ossec_backup/queue/rids/sender_counter /var/ossec/queue/rids/sender_counter
If you have made local changes to any of the following then also restore:
cp -p /var/ossec_backup/etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf
cp -p /var/ossec_backup/rules/local_rules.xml /var/ossec/etc/rules/local_rules.xml
cp -p /var/ossec_backup/etc/local_decoder.xml /var/ossec/etc/decoders/local_decoder.xml
If you have the centralized configuration you must restore:
cp -p /var/ossec_backup/etc/shared/agent.conf /var/ossec/etc/shared/default/agent.conf
Optionally the following files can be restored to preserve alert log files and syscheck/rootcheck databases:
cp -rp /var/ossec_backup/logs/archives/* /var/ossec/logs/archives
cp -rp /var/ossec_backup/logs/alerts/* /var/ossec/logs/alerts
cp -rp /var/ossec_backup/queue/rootcheck/* /var/ossec/queue/rootcheck
cp -rp /var/ossec_backup/queue/syscheck/* /var/ossec/queue/syscheck
4. Start Wazuh Manager service
5. Change agents ip address to point to new Wazuh manager ip and restart the agents.
I hope this helps.
Best regards,
David J. Iglesias
josip....@gmail.com
May 7, 2019, 9:59:28 AM5/7/19
to Wazuh mailing list
Excellent! You are the best.
I'll make the necessary changes and let you know how it went.
On Monday, May 6, 2019 at 4:33:52 PM UTC+2, josip....@gmail.com wrote:
Josip Domšić
Jun 12, 2019, 11:00:24 AM6/12/19
to Wazuh mailing list
Hi,
Sorry to keep you in the dark, but the migration went well.
The only difficulties were file permissions, since owner/groups (ossec,ossecm, ossecr,...) were not present on the destination server.
It was solved manually, and painfully, but solved.
Only recommendation: create the ossec* users and groups beforehand, and preserve permissions with rsync
Only recommendation: create the ossec* users and groups beforehand, and preserve permissions with rsync
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/YWpR-vNHl0E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a76e25f3-5628-47b0-9782-7c206956cd3b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
David José Iglesias Lopez
Jun 14, 2019, 5:33:00 AM6/14/19
to Wazuh mailing list
Hello Josip,
I am really glad you were able to complete migration. Sorry about the permissions, you are totally right. I will get hold on to your recomendation and use it appropiately.
Thank you so much for your contribution. Do not hesitate to contact us if you need anything else.
I am really glad you were able to complete migration. Sorry about the permissions, you are totally right. I will get hold on to your recomendation and use it appropiately.
Thank you so much for your contribution. Do not hesitate to contact us if you need anything else.
Best regards,
David J. Iglesias
On Wednesday, June 12, 2019 at 5:00:24 PM UTC+2, Josip Domšić wrote:
Hi,Sorry to keep you in the dark, but the migration went well.The only difficulties were file permissions, since owner/groups (ossec,ossecm, ossecr,...) were not present on the destination server.It was solved manually, and painfully, but solved.
Only recommendation: create the ossec* users and groups beforehand, and preserve permissions with rsync
uto, 7. svi 2019. u 15:59 <josip....@gmail.com> napisao je:
Excellent! You are the best.--I'll make the necessary changes and let you know how it went.
On Monday, May 6, 2019 at 4:33:52 PM UTC+2, josip....@gmail.com wrote:Hello!I'm in the process of migrating wazuh-manager to a different server. The one it's current on is not adequate anymore.What steps would you recommend to safely migrate current configuration and all connected agents?I'm running v3.8.2, all agents are connected to manager via it's IP and are managed by puppet.So, I can change the IPs quite fast, and I can afford some downtime.Would stopping the service and copying whole folder be /var/ossec enough?Thank you for your time,and for your wonderful product.
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/YWpR-vNHl0E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages