Wazuh old Indices to new deployment

PATAN MAHAMMAD KHAN

unread,

Jun 19, 2023, 2:25:14 AM6/19/23

to Wazuh mailing list

Hi Team,

We are currently using Wazuh 4.3 version on a single host and planning to go for the distributed deployment.

Could you please help me move the data of last three months from old server to new server!

Please help with step-by-step process.

Daniel Folch

unread,

Jun 19, 2023, 4:00:48 AM6/19/23

to Wazuh mailing list

Hello,

To do this you have two options:

1. If the new server has a connection to the old server you can use reindex to copy the indices from one machine to another, here you have some documentation about this topic:

https://opensearch.org/docs/1.2/opensearch/reindex-data/#reindex-from-a-remote-cluster

https://docs.aws.amazon.com/opensearch-service/latest/developerguide/remote-reindex.html

This option may not be adequate if you need to copy a lot of indices, Wazuh creates an index every day.

2. Another option is to create a snapshot of all the indices you want to copy from the old server and move them to the new server, here you have the documentation about how to create snapshots:

https://opensearch.org/docs/2.8/tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore/

If you use a snapshot repository located in the cloud ( AWS for example ) you need to add the repository to the new server and you will be able to load all the snapshots, on the other hand, if you use a local repository you will need to copy all the files in the local repository to the new machine and add the repository.

PATAN MAHAMMAD KHAN

unread,

Jun 19, 2023, 7:03:05 AM6/19/23

to Wazuh mailing list

Hi Daniel,

Thanks for quick response, could you please help me with more detailed step-wise document to finish this task with help of local machine or hard disk if possible.

Message has been deleted

Daniel Folch

unread,

Jun 20, 2023, 5:36:32 AM6/20/23

to Wazuh mailing list

Hello,

Create the local repository in your old server, to do this:
1.1. Create a directory to store the snapshots and set the correct permissions:
mkdir -p path_to_repo chown wazuh-indexer:wazuh-indexer path_to_repo
1.2. Add this to the Wazuh indexer configuration file: /etc/wazuh-indexer/opensearch.yml
path.repo: ["path_to_repo"]
1.3. Use the following API call to register the repository:
PUT /_snapshot/my-fs-repository { "type": "fs", "settings": { "location": "path_to_repo" } }
or if you prefer it in curl form:
curl -XPUT https://localhost:9200/_snapshot/my-fs-repository?pretty -H 'Content-Type: application/json' -d' { "type": "fs", "settings": { "location": "path_to_repo" } }' -k -u admin:10wWAMfrh8ijct7.eppMTVSWO71MIQ3*
Create a snapshot stored in the repository we created, you can save all the indices and the cluster state with this API call:
PUT /_snapshot/my-fs-repository/my_snapshot
Or you can indicate which indices you want to save, for example, this call will only save the indices that come from Wazuh:
PUT /_snapshot/my-fs-repository/wazuh_snapshot { "indices": "wazuh*", "ignore_unavailable": true, "include_global_state": false, "partial": false }
Copy the directory containing the snapshots from the old server to the new server
Add the snapshot repository to the new server
4.1. Add this to /etc/wazuh-indexer/opensearch.yml
path.repo: ["path_to_repo"]
4.2. And make this API call
PUT /_snapshot/my-fs-repository { "type": "fs", "settings": { "location": "path_to_repo" } }
4.3. Check if the repository has been added correctly, this call should return the snapshots we took from the old server
GET /_snapshot/my-fs-repository/_all
Restore the snapshots in the new server
POST /_snapshot/my-fs-repository/wazuh_snapshot/_restore
In case you face any index conflict when restoring the snapshot here you have some documentation on how to resolve it:
https://opensearch.org/docs/2.8/tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore/#conflicts-and-compatibility

PATAN MAHAMMAD KHAN

unread,

Jun 21, 2023, 4:32:08 AM6/21/23

to Wazuh mailing list

Hi Daniel,

I got struck at last step, Please check the below error and help me rectify it. I have performed these steps with Admin account and was successful in creating the Snapshot and calling it.

POST /_snapshot/my-fs-repository/wazuh_snapshot/_restore

{
"error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"
      }
    ],
    "type" : "security_exception",
    "reason" : "no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"
},
"status" : 403
}

PATAN MAHAMMAD KHAN

unread,

Jun 22, 2023, 12:14:57 AM6/22/23

to Wazuh mailing list

Hi Daniel,

Kindly look in to the trail email and let me know where it went wrong at the earliest.

PATAN MAHAMMAD KHAN

unread,

Jun 27, 2023, 3:08:42 AM6/27/23

to Wazuh mailing list

Hi Daniel,

Can you please check in to the trail email and let me know where it went wrong at the earliest.

Reply all

Reply to author

Forward