Migration of Wazuh to antoher server

[Alvaro Victoriano]

Hello Wazuh Tram.

I have platform of 3 Workers and 1 Master(With ELK), Is it posible to migrate them to another servers?

Or it can be done by easlly way such as moving the file of the agents regestration?

My object is to avoid doing the regestration of the agents all over again as they are thousends.

Thanks.

[Carlos Ridao]

Hello Alvaro,

It could be done by moving the configuration files of the managers but take into account that if you copy the directory to the new server and install from sources the startup services will not work. To migrate from Wazuh Manager to a new server follow these steps:

1. Backup your files. To avoid losing any configuration, or agent keys, stop manager service and then make a copy of /var/ossec (default installation directory).

2. Install Wazuh Manager in the new server. Do no select to run Manager after installation.

3. Restore configuration. Before you attempt restoration make sure the Manager is stopped in the new server.

    cp -p /var/ossec_backup/etc/client.keys /var/ossec/etc/

    cp -p /var/ossec_backup/etc/ossec.conf /var/ossec/etc/
    cp -p /var/ossec_backup/queue/rids/sender_counter /var/ossec/queue/rids/sender_counter
   
    If you have made local changes to any of the following then also restore:

    cp -p /var/ossec_backup/etc/local_internal_options.conf /var/ossec/etc/local_internal_options.conf
    cp -p /var/ossec_backup/rules/local_rules.xml /var/ossec/etc/rules/local_rules.xml
    cp -p /var/ossec_backup/etc/local_decoder.xml /var/ossec/etc/decoders/local_decoder.xml

    If you have the centralized configuration you must restore:
   
    cp -p /var/ossec_backup/etc/shared/agent.conf /var/ossec/etc/shared/default/agent.conf

    Optionally the following files can be restored to preserve alert log files and syscheck/rootcheck databases:

    cp -rp /var/ossec_backup/logs/archives/* /var/ossec/logs/archives
    cp -rp /var/ossec_backup/logs/alerts/* /var/ossec/logs/alerts
    cp -rp /var/ossec_backup/queue/rootcheck/* /var/ossec/queue/rootcheck
    cp -rp /var/ossec_backup/queue/syscheck/* /var/ossec/queue/syscheck

4. Start Wazuh Manager service

5. If your are using a Load Balancer it won't be necessary to change the MANAGER IP on the agents to report as they will be pointing to it. No changes over the agents configuration will be necessary either if you are not using a Load Balancer but the IP of the manager (Master or worker) you want the Agent to report to on the new server remains the same.

    In case you are not using a Load Balancer and the IP of the manager (Master or worker) you want the Agent to report to has changed then you will need to update the MANAGER IP on the ossec.conf of every agent and restart them.

    You will find the MANAGER IP on the `<server>` section of `ossec.conf`:

    ```
    <client>
      <server>
        <address>YOUR MANAGER IP (Master or Worker)</address>
    ```

Just in case you are not using one, a Load Balancer on a Wazuh cluster is strongly recommended.

I hope this helps.

Best regards,

Carlos.

[Alvaro Victoriano]

Thats awesome Carlos, thank you so much, you saved a lot of works to me.

[Carlos Ridao]

Hi Alvaro,

I'm glad I could help. Please let us know if you need anything else.

Best regards,

Carlos

[Alvaro Victoriano]

About the load balancer, just an idea,

We can pass the configurations of the new load balancer IP to agent.conf by the manager, and in this way we dont need to modify the configurations in the agent to change the IP of the load balancer as its gonna be secondary.

[Alvaro Victoriano]

I have more question Carlos please.

I have Wazuh in cluster, so if iam going to do the migration for all the cluster is enough to do accoarading to the steps you mentioned only on the master node right? because the master its gonna reflex the client keys and agent.conf to the other correct?

The file /var/ossec/queue/rids/sender_counter its for what?

I saw in  /var/ossec/queue/rids more files, are not important?

This is the most important for me, in  /var/ossec/etc/shared/ I have so many groups, its not valid if i copy whole the folder like  /var/ossec/etc/shared/?

Thanks

[Carlos Ridao]

Hello Alvaro,

Sorry for the late response. I'll try to help you here.

I have Wazuh in cluster, so if iam going to do the migration for all the cluster is enough to do accoarading to the steps you mentioned only on the master node right? because the master its gonna reflex the client keys and agent.conf to the other correct?

 All the steps mentioned above were meant to be applied on the Master and the Worker nodes with the only exception of the following, which should be applied on the Master only as it will update the Worker nodes properly:

    cp -p /var/ossec_backup/etc/client.keys /var/ossec/etc/

    cp -p /var/ossec_backup/rules/local_rules.xml /var/ossec/etc/rules/local_rules.xml
    cp -p /var/ossec_backup/etc/local_decoder.xml /var/ossec/etc/decoders/local_decoder.xml

The file /var/ossec/queue/rids/sender_counter its for what?

I saw in  /var/ossec/queue/rids more files, are not important?

 

Those files are used to count all sent and received messages to detect potential attacks.

This is the most important for me, in  /var/ossec/etc/shared/ I have so many groups, its not valid if i copy whole the folder like  /var/ossec/etc/shared/?

 
As you have several groups you should copy the content of the following directories to the Master:

    /var/ossec/etc/shared/
    /var/ossec/queue/agent-groups/

Finally, we also encourage you to copy /var/ossec/queue/agents-timestamp as its used to store when each agent was registered.

I hope this answer your questions.

Best regards,

Carlos

[Alvaro Victoriano]

Thank you so much Carlos, thats perfect.

About the folder /var/ossec/queue/agent-info  it will be created again after agent connections to the new server?

Last doubt for me is, as the agents connect to a balancer and iam not going to do any changes in the configurations of agents, and i need to change the balancer as well,

Do you think its posible if i centralize the configurations and mention the new balancer IP so that later when i do the migration they will be able to connect to the server?

agent.conf

<client>

   <server>

      <address>nginx-lb1</address>

      <port>1514</port>

      <protocol>tcp</protocol>

   </server>

   <server>

      <address>nginx-lb2</address>

      <port>1514</port>

      <protocol>tcp</protocol>

   </server>

    <config-profile>ubuntu, ubuntu18, ubuntu18.04</config-profile>

    <notify_time>10</notify_time>

    <time-reconnect>60</time-reconnect>

    <auto_restart>yes</auto_restart>

    <crypto_method>aes</crypto_method>

</client>

or its valid with the new load balancer?

<client>

   <server>

      <address>nginx-lb2</address>

      <port>1514</port>

      <protocol>tcp</protocol>

   </server>

    <config-profile>ubuntu, ubuntu18, ubuntu18.04</config-profile>

    <notify_time>10</notify_time>

    <time-reconnect>60</time-reconnect>

    <auto_restart>yes</auto_restart>

    <crypto_method>aes</crypto_method>

</client>

Thanks.

[Carlos Ridao]

Hello Alvaro,

Let me try to answer your questions.

About the folder /var/ossec/queue/agent-info  it will be created again after agent connections to the new server?

Yes, it will be generated once the agent connects to the manager.

 

Last doubt for me is, as the agents connect to a balancer and iam not going to do any changes in the configurations of agents, and i need to change the balancer as well,

Do you think its posible if i centralize the configurations and mention the new balancer IP so that later when i do the migration they will be able to connect to the server?

agent.conf

<client>

   <server>

      <address>nginx-lb1</address>

      <port>1514</port>

      <protocol>tcp</protocol>

   </server>

   <server>

      <address>nginx-lb2</address>

      <port>1514</port>

      <protocol>tcp</protocol>

   </server>

    <config-profile>ubuntu, ubuntu18, ubuntu18.04</config-profile>

    <notify_time>10</notify_time>

    <time-reconnect>60</time-reconnect>

    <auto_restart>yes</auto_restart>

    <crypto_method>aes</crypto_method>

</client>

 

With this configuration you would be using failover mode, what means that you will have the configuration of both Load Balancer. The agent will try to connect to `nginx-lb1` and in case of not being able to connect to it then it will try to connect to the second one (nginx-lb2). This is an option if you want but its not the preferable one once you have migrated to the new server as it will always try to connect to the old load balancer first.

or its valid with the new load balancer?

<client>

   <server>

      <address>nginx-lb2</address>

      <port>1514</port>

      <protocol>tcp</protocol>

   </server>

    <config-profile>ubuntu, ubuntu18, ubuntu18.04</config-profile>

    <notify_time>10</notify_time>

    <time-reconnect>60</time-reconnect>

    <auto_restart>yes</auto_restart>

    <crypto_method>aes</crypto_method>

</client> 

In this case your agent will try to connect only to the load balancer on your new server. This would be the best option once you have migrated to the new server, if possible.

I hope it helps.

Best regards,

Carlos

[Alvaro Victoriano]

Thats perfect, thank you so much for your help Carlos.

[Carlos Ridao]

You are welcome. I'm glad it was helpful.

Regards,
Carlos.