Recreate index?

[moosemaimer]

Hello,

My server stopped registering any new events a few days ago... I eventually determined it had run out of shards and have since resolved that issue, but there is a ~16-hour gap in the alerts and graphs. As far as I can tell it was still receiving and processing the log files, but not adding them to the Elasticsearch indices. Is there a way to rebuild them from the logfiles, presumably after deleting the existing days' indices?

Thanks.

[Alexander Bohorquez]

Hello Moosemaimer,

Thanks for using Wazuh!

Since your alerts were accidentally not indexed there is a guide that covers how to recover Wazuh alerts in Elasticsearch:

https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/

Basically, it is a script that allows you to re-index the alerts from your Wazuh manager to Elasticsearch. The script will look for the alerts in the path /var/ossec/logs/alerts/ based on the time range that you define in the execution of the script.

If you have the alerts available in this path, it is only necessary to follow the steps in the mentioned blog.

You'll need to load the script in your Wazuh manager, assign it execution permissions, and also ownership "root:ossec". Once you have the script you must modify the filebeat configuration at: /usr/share/filebeat/module/wazuh/alerts/manifest.yml to something like the following based on the guide steps:

module_version: 0.1 

var: 

      - name: paths 

        default: 

             - /var/ossec/logs/alerts/alerts.json 

             - /tmp/recovery.json 

       - name: index_prefix 

         default: wazuh-alerts-4.x-

input: config / alerts.yml 

ingest_pipeline: ingest / pipeline.json

Then, by running the script following the instructions in the blog. The alerts will be sent to the recovery.json file, Filebeat will read it and send these alerts to Elasticsearch based on the defined time range.

I hope this information helps. Please let me know if you have any other questions!

[Alexander Bohorquez]

Hello  Moosemaimer,

Just to make some corrections to the content of the /usr/share/filebeat/module/wazuh/alerts/manifest.yml file:

module_version: 0.1 

var: 

    - name: paths 

      default: 

           - /var/ossec/logs/alerts/alerts.json 

           - /tmp/recovery.json 

    - name: index_prefix 

       default: wazuh-alerts-4.x-

input: config/alerts.yml 

ingest_pipeline: ingest/pipeline.json

All you have to do is add the path - /tmp/recovery.json to the file and then restart the Filebeat service to load the changes.

Regards,

[moosemaimer]

I followed the instructions and was able to recover all the events from that timeframe. Now that the indices have been restored, do I need to keep the recovery.json and recovery.log files or can they be removed?

Thanks for your help!

[Alexander Bohorquez]

Hello Moosemaimer,

I'm glad it worked,

Once the alerts have been reindexed, you no longer need the generated "recovery.json" file. This is just a file where alerts are sent and filebeat reads them based on your timeframe defined via the script.

What you should keep are the alerts in /var/ossec/logs/alerts/ since if an issue occurs again you will need to execute the same procedure based on the alerts that you need to reindex.

Please let us know if you have any other questions!