Migrating to the Wazuh indexer

Follow this guide to migrate from Open Distro for Elasticsearch 1.13 to the Wazuh indexer. These instructions are intended for a standard Wazuh installation, you may need to make some changes to adapt them to your environment.

Note

Root user privileges are required to execute all the commands described below.

  1. Disable shard allocation to prevent Elasticsearch from replicating shards as you shut down nodes. Replace <elasticsearch_IP> with your Elasticsearch IP address or hostname, and <username>:<password> with your Elasticsearch username and password.

    curl -X PUT "https://<elasticsearch_IP>:9200/_cluster/settings" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
    {
      "persistent": {
        "cluster.routing.allocation.enable": "primaries"
      }
    }
    '
    
  2. Stop indexing, and perform a flush: indexing/searching should be stopped and _flush can be used to permanently store information into the index which will prevent any data loss during the upgrade.

    curl -X POST "https://<elasticsearch_IP>:9200/_flush/synced" -u <username>:<password> -k
    
  3. Stop Filebeat.

    # systemctl stop filebeat
    
    # service filebeat stop
    
  4. Shutdown Elasticsearch. For distributed deployments, you can shut down a single node at a time: first data nodes and later master nodes.

    # systemctl stop elasticsearch
    
    # service elasticsearch stop
    
  5. Add the Wazuh repository. You can skip this step if the repository is already present and enabled on your server.

    1. Import the GPG key.

      # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
      
    2. Add the repository.

      # echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
      
    1. Install the following package if missing.

      # apt install gnupg
      
    2. Install the GPG key.

      # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
      
    3. Add the repository.

      # echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
      
    4. Update the package information.

      # apt-get update
      
  6. Install the Wazuh indexer.

    # yum -y install wazuh-indexer
    
    # apt -y install wazuh-indexer
    
  7. Create the /etc/wazuh-indexer/certs directory, copy your old certificates to the new location and change ownership and permissions. Note that the admin.pem and admin-key.pem certificates do not exist on every Elasticsearch node.

    # mkdir /etc/wazuh-indexer/certs
    # cp /etc/elasticsearch/certs/elasticsearch-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
    # cp /etc/elasticsearch/certs/elasticsearch.pem /etc/wazuh-indexer/certs/indexer.pem
    # cp /etc/elasticsearch/certs/admin.pem /etc/wazuh-indexer/certs/admin.pem
    # cp /etc/elasticsearch/certs/admin-key.pem /etc/wazuh-indexer/certs/admin-key.pem
    # cp /etc/elasticsearch/certs/root-ca.pem /etc/wazuh-indexer/certs/root-ca.pem
    # chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs/
    # chmod 500 /etc/wazuh-indexer/certs/
    # chmod 400 /etc/wazuh-indexer/certs/*
    
  8. Move or copy your data to the new directories and change ownership.

    # rm -rf /var/lib/wazuh-indexer/ /var/log/wazuh-indexer/
    # mv /var/lib/elasticsearch/ /var/lib/wazuh-indexer/
    # mv /var/log/elasticsearch/ /var/log/wazuh-indexer/
    # chown wazuh-indexer:wazuh-indexer -R /var/log/wazuh-indexer/
    # chown wazuh-indexer:wazuh-indexer -R /var/lib/wazuh-indexer/
    
  9. Port your settings from /etc/elasticsearch/elasticsearch.yml to /etc/wazuh-indexer/opensearch.yml. Most settings use the same names.

    Take into account the following considerations:

    1. At a minimum, specify cluster.name, node.name, discovery.seed_hosts, and cluster.initial_master_nodes.

    2. Editing the path.data and the path.logs settings is not needed. The old data has been moved to the default Wazuh indexer paths in the previous step.

    3. Editing the certificates names and paths is not needed. The old certificates have been moved and renamed in a previous step.

    4. If you were using the default Wazuh certificates, change the Organizational Unit (OU) from Wazuh to Docu.

      plugins.security.authcz.admin_dn:
      - "CN=admin,OU=Docu,O=Wazuh,L=California,C=US"
      plugins.security.check_snapshot_restore_write_privileges: true
      plugins.security.enable_snapshot_restore_privilege: true
      plugins.security.nodes_dn:
      - "CN=node-1,OU=Docu,O=Wazuh,L=California,C=US"
      #- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
      #- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
      
  10. Optional. Port any custom configurations, for example, the -Xms and -Xmx settings, from /etc/elasticsearch/jvm.options to /etc/wazuh-indexer/jvm.options.

  11. Enable and start the Wazuh indexer.

    # systemctl daemon-reload
    # systemctl enable wazuh-indexer
    # systemctl start wazuh-indexer
    

    Choose one option according to the operating system used.

    1. RPM-based operating system:

    # chkconfig --add wazuh-indexer
    # service wazuh-indexer start
    
    1. Debian-based operating system:

    # update-rc.d wazuh-indexer defaults 95 10
    # service wazuh-indexer start
    
  12. For multi-node deployments, repeat steps 4–10 until the upgrade is performed on all the nodes.

  13. Once all the nodes have been been upgraded, restart Filebeat.

    # systemctl restart filebeat
    
    # service filebeat restart
    
  14. Run the following command to verify that the communication between Filebeat and the Wazuh indexer is working as expected.

    # filebeat test output
    
    elasticsearch: https://127.0.0.1:9200...
      parse url... OK
      connection...
        parse host... OK
        dns lookup... OK
        addresses: 127.0.0.1
        dial up... OK
      TLS...
        security: server's certificate chain verification is enabled
        handshake... OK
        TLS version: TLSv1.3
        dial up... OK
      talk to server... OK
      version: 7.10.2
    
  15. Monitor the health of the cluster as follows. Replace <Wazuh_indexer_IP> with your Wazuh indexer IP address or hostname, and <username>:<password> with your Elasticsearch username and password.

    curl -X GET "https://<Wazuh_indexer_IP>:9200/_cluster/health?pretty" -u <username>:<password> -k
    
  16. Re-enable shard allocation.

    curl -X PUT "https://<Wazuh_indexer_IP>:9200/_cluster/settings" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
    {
      "persistent": {
        "cluster.routing.allocation.enable": null
      }
    }
    '
    
  17. Verify that the indexed data in Open Distro is now searchable and indexable in the Wazuh indexer. You may enter the web interface, search for old data and verify that new alerts are coming in.

  18. Uninstall Open Distro for Elasticsearch on all nodes.

    # yum remove opendistroforelasticsearch
    

    There are files marked as configuration and data files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user’s responsibility. It can be done by removing the folder /var/lib/elasticsearch and /etc/elasticsearch.

    # apt-get remove --auto-remove opendistroforelasticsearch
    

    There are files marked as configuration and data files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user’s responsibility. It can be done by removing the folder /var/lib/elasticsearch and /etc/elasticsearch.

Next steps

Your cluster is now updated. To guarantee a correct operation of Wazuh, make sure to also migrate from Kibana to the Wazuh dashboard. To learn more, see the Migrating to the Wazuh dashboard section.