Complete Wazuh Backup and Restoration
2,628 views
Skip to first unread message
Rabail Naseer
May 21, 2021, 8:35:38 AM5/21/21
to Wazuh mailing list
Hi Team,
I have deployed wazuh at my organization and add 8 agents of windows and 4 agents of linux. Now I want to take the backup of entire wazuh and restore it on separate machine so I can restore all previous logs at my new wazuh machine. Please help me to perform this task.
Thank you.
Mariano Koremblum
May 21, 2021, 9:34:11 AM5/21/21
to Wazuh mailing list
Hi!
Let me get this clear, are you trying to backup and restore the manager or an agent?
- Mariano
Rabail Naseer
May 24, 2021, 12:24:33 AM5/24/21
to Wazuh mailing list
I want to restore agents
Rabail Naseer
May 24, 2021, 12:59:20 AM5/24/21
to Wazuh mailing list
I have one machine whose IP is x.x.x.x and I want to restore all agents logs on a separate machine whose IP is y.y.y.y
Mariano Koremblum
May 24, 2021, 9:32:59 AM5/24/21
to Wazuh mailing list
Hi Rabail,
I still do not get it. I will list you some of the cases I think you may want to do and please tell me which one is the more accurate to the one you want to implement.
1) There are two or more agents in different devices and you want to save all their logs on a different one.
2 ) You have an agent in a certain device and you want now to have this very same agent on another device, with its logs.
1) There are two or more agents in different devices and you want to save all their logs on a different one.
2 ) You have an agent in a certain device and you want now to have this very same agent on another device, with its logs.
3) You have a manager in a certain device and you want now to have this very same manager on another device, with all the logs.
Please, if you can illustrate what you want to do, we will be able to help you faster and better.
Please, if you can illustrate what you want to do, we will be able to help you faster and better.
Regards,
Mariano
Rabail Naseer
May 25, 2021, 12:55:51 AM5/25/21
to Wazuh mailing list
2 ) You have an agent in a certain device and you want now to have this very same agent on another device, with its logs.
3) You have a manager in a certain device and you want now to have this very same manager on another device, with all the logs.
Message has been deleted
Mariano Koremblum
May 25, 2021, 1:22:10 PM5/25/21
to Wazuh mailing list
Ok so, when we want to make a backup of Wazuh there are some important things to save:
- Keys and Certificates
- Custom Configurations
- Custom Rules and Decoders
- Logs
- Databases
So, first of all: do not start the manager or agents before the migration is completed. Also, take into account that, if Manager’s IP changes, you will need to change the agent’s configuration too.
You will need to install the manager/agents on the new devices, but do not start them. And then copy the following paths/files from the old to the new devices installation folders:
- /var/ossec/etc/client.keys
- /var/ossec/etc/sslmanager*
- /var/ossec/etc/*.pem
- /var/ossec/etc/ossec.conf
- /var/ossec/etc/local_internal_options.conf
- /var/ossec/etc/rules/local_rules.xml
- /var/ossec/etc/decoders/local_decoder.xml
- /var/ossec/etc/shared/*
- /var/ossec/queue/rids/sender_counter
- /var/ossec/logs/*
- /var/ossec/api/configuration/*
- /var/ossec/stats/*
- /var/ossec/backup/*
- /var/ossec/var/db/*
- /var/ossec/queue/*
Take into account that some of these files/paths may not be present whether it is an agent or the manager and that the path is not the same on Linux distributions as in Windows, so pay special attention to the particularities of every case.
After migrating all the files, stop the old manager/agents execution and start the new ones, before doing so remember to set on the agents ossec.conf file the new manager’s IP.
I would recommend you also reading the following Wazuh Documentation/Blog notes that may help you on this process:
- Wazuh Installation guide
- Migrating OSSEC server - Migrating from OSSEC
- Migrating OSSEC agent - Migrating from OSSEC
I hope this helps you.
Best regards,
Mariano Koremblum
Rabail Naseer
May 26, 2021, 1:23:45 AM5/26/21
to Wazuh mailing list
Thank you for your response. I will follow these steps.
Mariano Koremblum
May 26, 2021, 9:08:27 AM5/26/21
to Wazuh mailing list
You are welcome Rabail, I hope you can successfully complete the task :)
Best Regards,
Mariano Koremblum
Rabail Naseer
May 28, 2021, 2:41:06 AM5/28/21
to Wazuh mailing list
Hi mariano,
I have successfully migrate wazuh server from one machine (whose ip is 192.168.13.123) to another machine (whose ip is 192.168.13.127) and change the ip at ossec-agent config (which is 192.168.13.127) to connect agent with wazuh server it is successfully connected but I can not see the historical logs on the new dashboard, also attaching some snapshots for your understanding.
Mariano Koremblum
May 28, 2021, 1:10:45 PM5/28/21
to Wazuh mailing list
Hi Rabail,
On Elasticsearch's website, there is a guide that explains how to migrate the data:
I hope this helps you!
Have a nice weekend,
Mariano Koremblum
Rabail Naseer
May 31, 2021, 2:29:29 AM5/31/21
to Wazuh mailing list
Hi,
please guide me how to do this i am using wazuh OVA 4.1
Rabail Naseer
May 31, 2021, 3:07:25 AM5/31/21
to Wazuh mailing list
Please share the steps with screen shorts so that I can see historical logs into dashboard of wazuh.
Rabail Naseer
May 31, 2021, 8:51:44 AM5/31/21
to Wazuh mailing list
Hi mariano,
I am trying to restore it from a snapshot, I took a snapshot successfully but when I restore it, it shows security exception error
below is the screen shot for your better understanding.
Rabail Naseer
Jun 1, 2021, 5:51:04 AM6/1/21
to Wazuh mailing list
Hi Team,
Please reply on my issue
Mariano Koremblum
Jun 1, 2021, 3:08:45 PM6/1/21
to Wazuh mailing list
Hi Rabail,
As you can see, this is related to Elasticsearch. I’ve found that some people that have had the same problem as you, in the following link:
- https://github.com/opendistro-for-elasticsearch/sample-code/issues/152
- https://forum.search-guard.com/t/unable-to-restore-an-elasticsearch-snapshot-with-security-error/1514
You can have some more info related to the “include_global_state” parameter in the following link:
And about the “enable_snapshot_restore_privilege” (if you are using Search Guard) in here:
And here you can find more documentation related to snapshots and “restore”:
- https://www.elastic.co/guide/en/elasticsearch/reference/current/snapshot-restore.html
- https://opendistro.github.io/for-elasticsearch-docs/docs/elasticsearch/snapshot-restore/
Are you using Search Guard? Because I have found many issues related to this.
Best Regards,
Mariano Koremblum
Abu Sayed
Oct 1, 2022, 3:00:35 AM10/1/22
to Wazuh mailing list
- /var/ossec/etc/client.keys
- /var/ossec/etc/sslmanager*
- /var/ossec/etc/*.pem
- /var/ossec/etc/ossec.conf
- /var/ossec/etc/local_internal_options.conf
- /var/ossec/etc/rules/local_rules.xml
- /var/ossec/etc/decoders/local_decoder.xml
- /var/ossec/etc/shared/*
- /var/ossec/queue/rids/sender_counter
- /var/ossec/logs/*
- /var/ossec/api/configuration/*
- /var/ossec/stats/*
- /var/ossec/backup/*
- /var/ossec/var/db/*
- /var/ossec/queue/*
i cpoied all those file from my old server to new server . but New agent not started . show some error. please see my attachmet and advice me.
Eroor log:
Oct 01 12:34:29 wazuh-siem-new env[990538]: 2022/10/01 06:34:29 wazuh-analysisd: WARNING: (1103): Could not open file 'etc/lists/audit-keys' due to [(13)-(Permission denied)].
Oct 01 12:34:29 wazuh-siem-new env[990538]: 2022/10/01 06:34:29 wazuh-analysisd: WARNING: (1103): Could not open file 'etc/lists/amazon/aws-eventnames' due to [(13)-(Permission denied)].
Oct 01 12:34:29 wazuh-siem-new env[990538]: 2022/10/01 06:34:29 wazuh-analysisd: WARNING: (1103): Could not open file 'etc/lists/security-eventchannel' due to [(13)-(Permission denied)].
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7616): List 'etc/lists/amazon/aws-eventnames' could not be loaded. Rule '80202' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80203' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80203' was not found. Invalid 'if_sid'. Rule '80250' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80251' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80251' was not found. Invalid 'if_matched_sid'. Rule '80252' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80202' was not found. Invalid 'if_sid'. Rule '80253' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80253' was not found. Invalid 'if_sid'. Rule '80254' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80254' was not found. Invalid 'if_matched_sid'. Rule '80255' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7616): List 'etc/lists/audit-keys' could not be loaded. Rule '80780' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80780' was not found. Invalid 'if_sid'. Rule '80781' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80780' was not found. Invalid 'if_sid'. Rule '80782' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7616): List 'etc/lists/audit-keys' could not be loaded. Rule '80783' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80783' was not found. Invalid 'if_sid'. Rule '80784' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80783' was not found. Invalid 'if_sid'. Rule '80785' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7616): List 'etc/lists/audit-keys' could not be loaded. Rule '80786' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80786' was not found. Invalid 'if_sid'. Rule '80787' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7606): Signature ID '80786' was not found. Invalid 'if_sid'. Rule '80788' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7616): List 'etc/lists/audit-keys' could not be loaded. Rule '80789' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7610): Group 'audit_watch_write' was not found. Invalid 'if_group'. Rule '80790' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7610): Group 'audit_watch_write' was not found. Invalid 'if_group'. Rule '80791' will be ignored.
Oct 01 12:34:30 wazuh-siem-new env[990538]: 2022/10/01 06:34:30 wazuh-analysisd: WARNING: (7616): List 'etc/lists/audit-keys' could not be loaded. Rule '80792' will be ignored.
Oct 01 12:34:31 wazuh-siem-new env[990540]: 2022/10/01 12:34:31 wazuh-remoted: CRITICAL: (2301): Definition not found for: 'remoted.send_chunk'.
Oct 01 12:34:31 wazuh-siem-new env[990513]: wazuh-remoted: Configuration error. Exiting
Oct 01 12:34:31 wazuh-siem-new systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE
Reply all
Reply to author
Forward
0 new messages