Migrate from ES Basic to OpenDistro
412 views
Skip to first unread message
charl...@gmail.com
Mar 4, 2021, 1:59:20 AM3/4/21
to Wazuh mailing list
Hi All,
Looking for some advise on migrating from my current Wazuh installation from running ES Basic to OpenDistro, obviously want to keep Wazuh intact so I don't affect installed agents, just want the backend on OpenDistro.
Any suggestions on doing a migration without loosing the data on the current ES cluster?
Regards,
Charl
elw...@wazuh.com
Mar 4, 2021, 4:21:12 AM3/4/21
to Wazuh mailing list
Hello Charl,
Migrating from ES to Opendistro should not affect Wazuh's manager nor agents as the formers are external integrations for Wazuh and as long as the compatibility matrix (https://documentation.wazuh.com/current/upgrade-guide/compatibility_matrix/) is respected (for the Wazuh plugin to remain intact).
Having said that; You can approach the migration in two different manners depending on your use case :
Hope this helps.
Regards,
Wali
Migrating from ES to Opendistro should not affect Wazuh's manager nor agents as the formers are external integrations for Wazuh and as long as the compatibility matrix (https://documentation.wazuh.com/current/upgrade-guide/compatibility_matrix/) is respected (for the Wazuh plugin to remain intact).
Having said that; You can approach the migration in two different manners depending on your use case :
- First approach: Assumes that you are keeping Wazuh alerts logs ( under /var/ossec/logs/)
- Remove all Elastic Stack (Filbeat, Elasticsearch & Kibana) components from the system https://documentation.wazuh.com/current/user-manual/uninstall/elastic-stack.html
- Fresh install for Opendistro: https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/all_in_one.html
- Recover all data from Wazuh manager and index it into Elasticsearch/Opendistro: https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/
- Remove all Elastic Stack (Filbeat, Elasticsearch & Kibana) components from the system https://documentation.wazuh.com/current/user-manual/uninstall/elastic-stack.html
- Second approach: Data/alerts are being removed (to clear disk space) from Wazuh and all data is located only in Elaticsearch indices
- Make snapshots/backup (taking into account https://www.elastic.co/guide/en/elasticsearch/reference/7.x/snapshot-restore.html#snapshot-restore-version-compatibility) of the indices from the existing Elasticsearch: https://wazuh.com/blog/index-backup-management/
- Remove all Elastic Stack (Filbeat, Elasticsearch & Kibana)
components from the system
https://documentation.wazuh.com/current/user-manual/uninstall/elastic-stack.html
- Fresh install for Opendistro:
https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/all_in_one.html
- Restore snapshots: https://www.elastic.co/guide/en/elasticsearch/reference/current/snapshots-restore-snapshot.html or https://wazuh.com/blog/index-backup-management/
- Make snapshots/backup (taking into account https://www.elastic.co/guide/en/elasticsearch/reference/7.x/snapshot-restore.html#snapshot-restore-version-compatibility) of the indices from the existing Elasticsearch: https://wazuh.com/blog/index-backup-management/
Hope this helps.
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages