Open Distro data migration to Wazuh indexer on Docker

For users using Wazuh version 4.2.x with Open Distro for Elasticsearch. This procedure explains how to migrate data from Open Distro for Elasticsearch to Wazuh Indexer in Docker production deployments (v4.2.x to v4.3).

Assuming that the version 4.2.x production cluster was previously deployed.

1. From the wazuh-docker directory, stop the current v4.2.x environment:

   # docker-compose -f production-cluster.yml stop
   

2. Check that Elasticsearch volumes are present:

   # docker volume ls --filter name='wazuh-docker_elastic-data'
   

3. Inspect Elasticsearch volumes and save the com.docker.compose.version value to be used in step 7:

   # docker volume inspect wazuh-docker_elastic-data-1
   

4. Take down the current v4.2.x environment:

   # docker-compose -f production-cluster.yml down
   

5. Exit the current wazuh-docker directory and rename it to wazuh-docker-4.2.X.

6. Clone the Wazuh v4.3 repository to your system:

   # git clone https://github.com/wazuh/wazuh-docker.git -b v4.3.5 --depth=1
   

7. Then enter into the multi-node directory, and run the volume-migrator script. This will create new volumes for v4.3 and copy data from old volumes to the newly created volumes. The arguments are the Docker-compose version and project name, see an example below. This step can also be done manually, see steps 5 and 6 in Wazuh Docker Github:

   # ./volume-migrator.sh 1.29.2 multi-node
   

8. Start the v4.3 environment:

   # docker-compose -f generate-indexer-certs.yml run --rm generator
   # docker-compose up -d