Hi Team,
We are currently using Wazuh 4.3 version on a single host and planning to go for the distributed deployment.
Could you please help me move the data of last three months from old server to new server!
Please help with step-by-step process.
Hi Daniel,
Thanks for quick response, could you please help me with more detailed step-wise document to finish this task with help of local machine or hard disk if possible.
Hello,
Create the local repository in your old server, to do this:
1.1. Create a directory to store the snapshots and set the correct permissions:
1.2. Add this to the Wazuh indexer configuration file: /etc/wazuh-indexer/opensearch.yml
path.repo: ["path_to_repo"]1.3. Use the following API call to register the repository:
PUT /_snapshot/my-fs-repository { "type": "fs", "settings": { "location": "path_to_repo" } }or if you prefer it in curl form:
curl -XPUT https://localhost:9200/_snapshot/my-fs-repository?pretty -H 'Content-Type: application/json' -d' { "type": "fs", "settings": { "location": "path_to_repo" } }' -k -u admin:10wWAMfrh8ijct7.eppMTVSWO71MIQ3*Create a snapshot stored in the repository we created, you can save all the indices and the cluster state with this API call:
PUT /_snapshot/my-fs-repository/my_snapshotOr you can indicate which indices you want to save, for example, this call will only save the indices that come from Wazuh:
PUT /_snapshot/my-fs-repository/wazuh_snapshot { "indices": "wazuh*", "ignore_unavailable": true, "include_global_state": false, "partial": false }Copy the directory containing the snapshots from the old server to the new server
Add the snapshot repository to the new server
4.1. Add this to /etc/wazuh-indexer/opensearch.yml
4.2. And make this API call
PUT /_snapshot/my-fs-repository { "type": "fs", "settings": { "location": "path_to_repo" } }4.3. Check if the repository has been added correctly, this call should return the snapshots we took from the old server
GET /_snapshot/my-fs-repository/_allRestore the snapshots in the new server
POST /_snapshot/my-fs-repository/wazuh_snapshot/_restoreIn case you face any index conflict when restoring the snapshot here you have some documentation on how to resolve it:
https://opensearch.org/docs/2.8/tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore/#conflicts-and-compatibility
Hi Daniel,
I got struck at last step, Please check the below error and help me rectify it. I have performed these steps with Admin account and was successful in creating the Snapshot and calling it.
POST /_snapshot/my-fs-repository/wazuh_snapshot/_restore
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"
}
],
"type" : "security_exception",
"reason" : "no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"
},
"status" : 403
}