Wazuh central components

To create a backup of the central components of your Wazuh installation, follow these steps. Repeat them on every cluster node you want to back up.

Note

You need root user privileges to execute the commands below.

Preparing the backup

  1. Create the destination folder to store the files. For version control, add the date and time of the backup to the name of the folder.

    # bkp_folder=~/wazuh_files_backup/$(date +%F_%H:%M)
    # mkdir -p $bkp_folder && echo $bkp_folder
    
  2. Save the host information.

    # cat /etc/*release* > $bkp_folder/host-info.txt
    # echo -e "\n$(hostname): $(hostname -I)" >> $bkp_folder/host-info.txt
    

Backing up the Wazuh server

  1. Back up the Wazuh server data and configuration files.

    # rsync -aREz \
    /etc/filebeat/ \
    /etc/postfix/ \
    /var/ossec/api/configuration/ \
    /var/ossec/etc/client.keys \
    /var/ossec/etc/sslmanager* \
    /var/ossec/etc/ossec.conf \
    /var/ossec/etc/internal_options.conf \
    /var/ossec/etc/local_internal_options.conf \
    /var/ossec/etc/rules/local_rules.xml \
    /var/ossec/etc/decoders/local_decoder.xml \
    /var/ossec/etc/shared/ \
    /var/ossec/logs/ \
    /var/ossec/queue/agentless/ \
    /var/ossec/queue/agents-timestamp \
    /var/ossec/queue/fts/ \
    /var/ossec/queue/rids/ \
    /var/ossec/stats/ \
    /var/ossec/var/multigroups/ $bkp_folder
    
  2. If present, back up certificates and additional configuration files.

    # rsync -aREz \
    /var/ossec/etc/*.pem \
    /var/ossec/etc/authd.pass $bkp_folder
    
  3. Back up your custom files. If you have custom active responses, CDB lists, integrations, or wodles, adapt the following command accordingly.

    # rsync -aREz \
    /var/ossec/active-response/bin/<custom_AR_script> \
    /var/ossec/etc/lists/<user_cdb_list>.cdb \
    /var/ossec/integrations/<custom_integration_script> \
    /var/ossec/wodles/<custom_wodle_script> $bkp_folder
    
  4. Stop the Wazuh manager service to prevent modification attempts while copying the Wazuh databases.

    # systemctl stop wazuh-manager
    
  5. Back up the Wazuh databases. They hold collected data from agents.

    # rsync -aREz \
    /var/ossec/queue/db/ $bkp_folder
    
  6. Start the Wazuh manager service.

    # systemctl start wazuh-manager
    

Backing up the Wazuh indexer and dashboard

  1. Back up the Wazuh indexer certificates and configuration files.

    # rsync -aREz \
    /etc/wazuh-indexer/certs/ \
    /etc/wazuh-indexer/jvm.options \
    /etc/wazuh-indexer/jvm.options.d \
    /etc/wazuh-indexer/log4j2.properties \
    /etc/wazuh-indexer/opensearch.yml \
    /etc/wazuh-indexer/opensearch.keystore \
    /etc/wazuh-indexer/opensearch-observability/ \
    /etc/wazuh-indexer/opensearch-reports-scheduler/ \
    /etc/wazuh-indexer/opensearch-security/ \
    /usr/lib/sysctl.d/wazuh-indexer.conf $bkp_folder
    
  2. Back up the Wazuh dashboard certificates and configuration files.

    # rsync -aREz \
    /etc/wazuh-dashboard/certs/ \
    /etc/wazuh-dashboard/opensearch_dashboards.yml \
    /usr/share/wazuh-dashboard/config/opensearch_dashboards.keystore \
    /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml $bkp_folder
    
  3. If present, back up your downloads and custom images.

    # rsync -aREz \
    /usr/share/wazuh-dashboard/data/wazuh/downloads/ \
    /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/ $bkp_folder
    

Note

While you're already backing up alert files, consider backing up the cluster indices and state as well. State includes cluster settings, node information, index metadata, and shard allocation.

Check the backup

  1. Verify that the Wazuh manager is active and list all the backed up files:

    # systemctl status wazuh-manager
    
    # find $bkp_folder -type f | sed "s|$bkp_folder/||" | less