Wazuh agent

To create a backup of your Wazuh agent installation follow these steps.


You need root user privileges to execute the commands below.

Preparing the backup

  1. On the agent machine you're doing the back up for, run the following commands to create the destination folder where to store the files. These commands use date and time references for the folder name to keep files separated from old backups you might have.

    # bkp_folder=~/wazuh_files_backup/$(date +%F_%H:%M)
    # mkdir -p $bkp_folder && echo $bkp_folder

Backing up a Wazuh agent

  1. Back up Wazuh agent data, certificates, and configuration files.

    # rsync -aREz \
    /var/ossec/etc/client.keys \
    /var/ossec/etc/ossec.conf \
    /var/ossec/etc/internal_options.conf \
    /var/ossec/etc/local_internal_options.conf \
    /var/ossec/etc/*.pem \
    /var/ossec/logs/ \
    /var/ossec/queue/rids/ $bkp_folder
  2. Back up your custom files such as local SCA policies, active response scripts, and wodles.

    # rsync -aREz /var/ossec/etc/<SCA_DIRECTORY>/<CUSTOM_SCA_FILE> $bkp_folder
    # rsync -aREz /var/ossec/active-response/bin/<CUSTOM_ACTIVE_RESPONSE_SCRIPT> $bkp_folder
    # rsync -aREz /var/ossec/wodles/<CUSTOM_WODLE_SCRIPT> $bkp_folder

Checking the backup

  1. Check everything is in place and working

    # find $bkp_folder -type f | sed "s|$bkp_folder/||" | less