restore wazuh-archive
Bitemir Myrzash
How can I restore the wazuh-archive index if I accidentally deleted it? There are no snapshots.
I deleted it through the policy, although I set it up to delete it for 60 days.
Md. Nazmur Sakib
Hi Bitemir Myrzash,
To recover these files, you will need JSON gz(ossec-archive-DD.json.gz) files inside
/var/ossec/logs/archives/YEAR/Mon/
If you have those compressed JSON files for archives, you can restore the archive indices following this.
Download the script (recovery.py) from the blog page here.
Let's create a duplicate of the original script:
cp recovery.py recover-arch.py
We need to make one little adjustment to the recover-arch.py script:
sed -i 's|logs/alerts/{1}/{2}/ossec-alerts-|logs/archives/{1}/{2}/ossec-archive-|1' recover-arch.py
Let's create a new empty file in the /tmp folder:
touch /tmp/recover-arch.json
Now, let's change the manifest for the archives module to monitor the new file (or edit the file manifest.yml in /usr/share/filebeat/module/wazuh/archives and add the path to the new file):
sed -i 's| - /var/ossec/logs/archives/archives.json| - /var/ossec/logs/archives/archives.json\n - /tmp/recover-arch.json\n|1' /usr/share/filebeat/module/wazuh/archives/manifest.yml
Restart the service:
systemctl restart filebeat
We are ready to execute the script to recover archives, here's an example, replace the parameters accordingly to your needs:
nohup /var/ossec/framework/python/bin/python3 recover-arch.py -eps 1000 -min 2025-01-01T00:00:00 -max 2025-07-29T23:59:59 -o /tmp/recover-arch.json -log /tmp/recover-arch.log -sz 4 &
Check this for more information.
Blog - Recover your data using Wazuh alerts backups
Let me know if this works for you.
Bitemir Myrzash
Thanks a lot. it helped me!
If you have another benefit scprits, can you send it?