Wazuh to OpenSearch Configuration Migration: Complete Guide#

This comprehensive guide walks through the process of migrating Wazuh from Elasticsearch to OpenSearch, covering configuration changes, data migration, dashboard setup, and performance optimization. With the shift towards OpenSearch as the preferred indexer for Wazuh, this migration ensures continued support and enhanced features.

Overview#

Wazuh 4.3+ officially supports OpenSearch as its primary indexer, moving away from the Open Distro for Elasticsearch. This migration involves:

Updating Wazuh manager configuration
Migrating existing indices and data
Reconfiguring Wazuh dashboard
Updating API and integration settings
Performance tuning for OpenSearch

Prerequisites#

System Requirements#

Wazuh Components:
- Wazuh Manager 4.3+
- Wazuh Dashboard 4.3+
- Wazuh Indexer (OpenSearch) 2.x
Current Environment:
- Running Elasticsearch cluster (6.x, 7.x, or Open Distro)
- Sufficient storage for data migration
- Backup of all configurations
Target Environment:
- OpenSearch 2.x cluster
- Compatible hardware specifications
- Network connectivity between components

Migration Planning#

Pre-Migration Checklist#

1
#!/bin/bash
2
# Pre-migration verification script
3

4
echo "=== Wazuh Migration Pre-Check ==="
5

6
# Check current versions
7
echo "Current Wazuh version:"
8
/var/ossec/bin/wazuh-control info | grep "Version"
9

10
# Check Elasticsearch version
11
echo "Current Elasticsearch version:"
12
curl -s localhost:9200 | jq '.version.number'
13

14
# Check index sizes
15
echo "Current index sizes:"
16
curl -s localhost:9200/_cat/indices/wazuh-* | awk '{print $3, $9}'
17

18
# Check disk space
19
echo "Available disk space:"
20
df -h /var/lib/elasticsearch
21

22
# Backup current configuration
23
echo "Creating configuration backup..."
24
mkdir -p /backup/wazuh-migration/$(date +%Y%m%d)
25
cp -r /etc/elasticsearch /backup/wazuh-migration/$(date +%Y%m%d)/
26
cp -r /etc/wazuh-indexer /backup/wazuh-migration/$(date +%Y%m%d)/ 2>/dev/null || true
27
cp -r /usr/share/wazuh-dashboard/data/wazuh/config /backup/wazuh-migration/$(date +%Y%m%d)/

Step 1: Install OpenSearch#

OpenSearch Installation#

1
# Add OpenSearch repository
2
curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring
3
echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-2.x.list
4

5
# Install OpenSearch
6
sudo apt-get update
7
sudo apt-get install opensearch=2.11.1
8

9
# Initial configuration
10
sudo nano /etc/opensearch/opensearch.yml

OpenSearch Configuration#

Create /etc/opensearch/opensearch.yml:

1
# OpenSearch Configuration for Wazuh
2
cluster.name: wazuh-cluster
3
node.name: opensearch-node1
4
network.host: 0.0.0.0
5
http.port: 9200
6
discovery.seed_hosts: ["127.0.0.1"]
7
cluster.initial_master_nodes: ["opensearch-node1"]
8

9
# Security settings
10
plugins.security.disabled: false
11
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/certs/node.pem
12
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/node-key.pem
13
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/certs/ca.pem
14
plugins.security.ssl.transport.enforce_hostname_verification: false
15
plugins.security.ssl.http.enabled: true
16
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/certs/node.pem
17
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/node-key.pem
18
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/certs/ca.pem
19

20
# Wazuh-specific settings
21
compatibility.override_main_response_version: true
22
path.data: /var/lib/opensearch
23
path.logs: /var/log/opensearch
24

25
# Performance settings
26
bootstrap.memory_lock: true
27
indices.query.bool.max_clause_count: 2000
28

29
# Cluster settings
30
cluster.routing.allocation.disk.threshold_enabled: true
31
cluster.routing.allocation.disk.watermark.low: 85%
32
cluster.routing.allocation.disk.watermark.high: 90%
33
cluster.routing.allocation.disk.watermark.flood_stage: 95%

JVM Configuration#

Update /etc/opensearch/jvm.options:

1
# JVM heap size (50% of available RAM, max 32GB)
2
-Xms16g
3
-Xmx16g
4

5
# GC configuration
6
-XX:+UseG1GC
7
-XX:MaxGCPauseMillis=200
8
-XX:InitiatingHeapOccupancyPercent=70
9

10
# GC logging
11
-XX:+PrintGCDetails
12
-XX:+PrintGCDateStamps
13
-XX:+PrintTenuringDistribution
14
-XX:+PrintGCApplicationStoppedTime
15
-Xloggc:/var/log/opensearch/gc.log
16
-XX:+UseGCLogFileRotation
17
-XX:NumberOfGCLogFiles=32
18
-XX:GCLogFileSize=64m

Step 2: Data Migration#

Export Data from Elasticsearch#

1
#!/bin/bash
2
# Export Wazuh indices from Elasticsearch
3

4
# Install elasticsearch-dump if not present
5
npm install -g elasticsearch-dump
6

7
# Create export directory
8
mkdir -p /backup/wazuh-indices
9
cd /backup/wazuh-indices
10

11
# Export all Wazuh indices
12
for index in $(curl -s localhost:9200/_cat/indices | grep wazuh | awk '{print $3}'); do
13
    echo "Exporting $index..."
14

15
    # Export mappings
16
    elasticdump \
17
        --input=http://localhost:9200/$index \
18
        --output=$index-mapping.json \
19
        --type=mapping
20

21
    # Export data
22
    elasticdump \
23
        --input=http://localhost:9200/$index \
24
        --output=$index-data.json \
25
        --type=data \
26
        --limit=1000
27
done
28

29
# Export templates
30
elasticdump \
31
    --input=http://localhost:9200 \
32
    --output=templates.json \
33
    --type=template
34

35
# Export aliases
36
elasticdump \
37
    --input=http://localhost:9200 \
38
    --output=aliases.json \
39
    --type=alias

Import Data to OpenSearch#

1
#!/bin/bash
2
# Import Wazuh indices to OpenSearch
3

4
cd /backup/wazuh-indices
5

6
# Update templates for OpenSearch compatibility
7
echo "Updating templates for OpenSearch..."
8
sed -i 's/"type": "keyword"/"type": "keyword"/g' templates.json
9
sed -i 's/"type": "text"/"type": "text"/g' templates.json
10

11
# Import templates first
12
elasticdump \
13
    --input=templates.json \
14
    --output=https://admin:admin@localhost:9200 \
15
    --type=template \
16
    --headers='Content-Type: application/json'
17

18
# Import indices
19
for mapping_file in *-mapping.json; do
20
    index_name=${mapping_file%-mapping.json}
21
    echo "Importing $index_name..."
22

23
    # Import mapping
24
    elasticdump \
25
        --input=$mapping_file \
26
        --output=https://admin:admin@localhost:9200/$index_name \
27
        --type=mapping \
28
        --headers='Content-Type: application/json'
29

30
    # Import data
31
    elasticdump \
32
        --input=${index_name}-data.json \
33
        --output=https://admin:admin@localhost:9200/$index_name \
34
        --type=data \
35
        --limit=1000 \
36
        --headers='Content-Type: application/json'
37
done
38

39
# Import aliases
40
elasticdump \
41
    --input=aliases.json \
42
    --output=https://admin:admin@localhost:9200 \
43
    --type=alias \
44
    --headers='Content-Type: application/json'

Step 3: Update Wazuh Manager Configuration#

Filebeat Configuration#

Update /etc/filebeat/filebeat.yml:

1
# Wazuh - Filebeat configuration for OpenSearch
2
filebeat.inputs:
3
  - type: log
4
    paths:
5
      - "/var/ossec/logs/alerts/alerts.json"
6
    json.keys_under_root: true
7
    json.add_error_key: true
8
    json.message_key: "message"
9

10
processors:
11
  - decode_json_fields:
12
      fields: ["data"]
13
      target: ""
14
      overwrite_keys: true
15
  - drop_fields:
16
      fields: ["beat", "input_type", "offset", "log", "host.name"]
17
      ignore_missing: true
18

19
output.elasticsearch:
20
  hosts: ["localhost:9200"]
21
  protocol: "https"
22
  username: "admin"
23
  password: "admin"
24
  ssl.verification_mode: "none"
25
  index: "wazuh-alerts-4.x-%{+yyyy.MM.dd}"
26
  template.name: "wazuh"
27
  template.pattern: "wazuh-*"
28
  template.settings:
29
    index.number_of_shards: 1
30
    index.number_of_replicas: 0
31
    index.refresh_interval: "5s"
32
    index.query.default_field: "*"
33

34
logging.level: info
35
logging.to_files: true
36
logging.files:
37
  path: /var/log/filebeat
38
  name: filebeat
39
  keepfiles: 7
40
  permissions: 0640

Wazuh API Configuration#

Update /var/ossec/api/configuration/api.yaml:

1
# Wazuh API configuration for OpenSearch
2
indexer:
3
  host: "https://localhost:9200"
4
  username: "wazuh_api"
5
  password: "${WAZUH_API_PASSWORD}"
6
  verify_ssl: false
7

8
logging:
9
  level: "info"
10
  path: "/var/ossec/logs/api.log"
11

12
auth:
13
  max_login_attempts: 5
14
  block_time: 300
15
  max_request_per_minute: 300
16

17
cache:
18
  enabled: true
19
  time: 0.75
20

21
upload:
22
  limits:
23
    eps:
24
      allow: true
25
      size: 1048576

Step 4: Wazuh Dashboard Migration#

Install Wazuh Dashboard for OpenSearch#

1
# Remove old Kibana-based dashboard
2
sudo systemctl stop wazuh-dashboard
3
sudo apt-get remove wazuh-dashboard
4

5
# Install new OpenSearch Dashboards-based Wazuh Dashboard
6
sudo apt-get install wazuh-dashboard
7

8
# Configure dashboard
9
sudo nano /etc/wazuh-dashboard/opensearch_dashboards.yml

Dashboard Configuration#

1
server.port: 5601
2
server.host: "0.0.0.0"
3
server.name: "wazuh-dashboard"
4

5
opensearch.hosts: ["https://localhost:9200"]
6
opensearch.username: "kibanaserver"
7
opensearch.password: "${DASHBOARD_PASSWORD}"
8
opensearch.ssl.verificationMode: "none"
9

10
# Wazuh plugin configuration
11
wazuh.api.url: "https://localhost:55000"
12
wazuh.api.port: 55000
13
wazuh.api.username: "wazuh"
14
wazuh.api.password: "${WAZUH_API_PASSWORD}"
15

16
# Security settings
17
opensearch_security.multitenancy.enabled: false
18
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
19
server.ssl.enabled: true
20
server.ssl.certificate: /etc/wazuh-dashboard/certs/dashboard.crt
21
server.ssl.key: /etc/wazuh-dashboard/certs/dashboard.key
22

23
# Logging
24
logging.dest: /var/log/wazuh-dashboard/dashboard.log
25
logging.silent: false
26
logging.quiet: false
27
logging.verbose: false

Import Saved Objects#

1
#!/bin/bash
2
# Import Wazuh dashboards and visualizations
3

4
# Export from old Kibana (if needed)
5
curl -X POST "localhost:5601/api/saved_objects/_export" \
6
  -H "Content-Type: application/json" \
7
  -H "kbn-xsrf: true" \
8
  -d '{
9
    "type": ["dashboard", "visualization", "search", "index-pattern"],
10
    "includeReferencesDeep": true
11
  }' > wazuh-saved-objects.ndjson
12

13
# Import to new dashboard
14
curl -X POST "localhost:5601/api/saved_objects/_import" \
15
  -H "Content-Type: multipart/form-data" \
16
  -H "kbn-xsrf: true" \
17
  -F file=@wazuh-saved-objects.ndjson

Step 5: Index Management#

Index Lifecycle Management#

Create /etc/opensearch/index-lifecycle-policy.json:

1
{
2
  "policy": {
3
    "description": "Wazuh index lifecycle policy",
4
    "default_state": "hot",
5
    "states": [
6
      {
7
        "name": "hot",
8
        "actions": [
9
          {
10
            "rollover": {
11
              "min_size": "50gb",
12
              "min_index_age": "1d"
13
            }
14
          }
15
        ],
16
        "transitions": [
17
          {
18
            "state_name": "warm",
19
            "conditions": {
20
              "min_index_age": "7d"
21
            }
22
          }
23
        ]
24
      },
25
      {
26
        "name": "warm",
27
        "actions": [
28
          {
29
            "replica_count": {
30
              "number_of_replicas": 0
31
            }
32
          },
33
          {
34
            "shrink": {
35
              "number_of_shards": 1
36
            }
37
          },
38
          {
39
            "force_merge": {
40
              "max_num_segments": 1
41
            }
42
          }
43
        ],
44
        "transitions": [
45
          {
46
            "state_name": "cold",
47
            "conditions": {
48
              "min_index_age": "30d"
49
            }
50
          }
51
        ]
52
      },
53
      {
54
        "name": "cold",
55
        "actions": [
56
          {
57
            "read_only": {}
58
          },
59
          {
60
            "allocation": {
61
              "include": {
62
                "node_type": "cold"
63
              }
64
            }
65
          }
66
        ],
67
        "transitions": [
68
          {
69
            "state_name": "delete",
70
            "conditions": {
71
              "min_index_age": "90d"
72
            }
73
          }
74
        ]
75
      },
76
      {
77
        "name": "delete",
78
        "actions": [
79
          {
80
            "delete": {}
81
          }
82
        ]
83
      }
84
    ]
85
  }
86
}

Apply the policy:

1
# Create ISM policy
2
curl -X PUT "https://localhost:9200/_plugins/_ism/policies/wazuh-policy" \
3
  -H "Content-Type: application/json" \
4
  -u admin:admin \
5
  -d @/etc/opensearch/index-lifecycle-policy.json
6

7
# Apply policy to indices
8
curl -X PUT "https://localhost:9200/wazuh-alerts-*/_settings" \
9
  -H "Content-Type: application/json" \
10
  -u admin:admin \
11
  -d '{
12
    "index": {
13
      "plugins.index_state_management.policy_id": "wazuh-policy"
14
    }
15
  }'

Index Templates#

Create /etc/opensearch/wazuh-template.json:

1
{
2
  "index_patterns": ["wazuh-alerts-4.x-*", "wazuh-archives-4.x-*"],
3
  "priority": 1,
4
  "template": {
5
    "settings": {
6
      "index": {
7
        "number_of_shards": "1",
8
        "number_of_replicas": "0",
9
        "refresh_interval": "5s",
10
        "query.default_field": [
11
          "rule.description",
12
          "agent.name",
13
          "agent.ip",
14
          "data.aws.source_ip_address",
15
          "data.url"
16
        ],
17
        "plugins.index_state_management.policy_id": "wazuh-policy",
18
        "plugins.index_state_management.rollover_alias": "wazuh-alerts"
19
      }
20
    },
21
    "mappings": {
22
      "dynamic": true,
23
      "dynamic_templates": [
24
        {
25
          "string_as_keyword": {
26
            "match_mapping_type": "string",
27
            "mapping": {
28
              "type": "keyword",
29
              "ignore_above": 1024
30
            }
31
          }
32
        }
33
      ],
34
      "properties": {
35
        "@timestamp": {
36
          "type": "date"
37
        },
38
        "agent": {
39
          "properties": {
40
            "id": { "type": "keyword" },
41
            "name": { "type": "keyword" },
42
            "ip": { "type": "ip" }
43
          }
44
        },
45
        "rule": {
46
          "properties": {
47
            "level": { "type": "integer" },
48
            "id": { "type": "keyword" },
49
            "description": { "type": "text" }
50
          }
51
        }
52
      }
53
    }
54
  }
55
}

Step 6: Security Configuration#

Configure OpenSearch Security#

1
#!/bin/bash
2
# Security configuration script
3

4
# Generate certificates
5
cd /etc/opensearch
6
./tools/generate-certificates.sh
7

8
# Configure internal users
9
cat > /etc/opensearch/internal_users.yml << EOF
10
_meta:
11
  type: "internalusers"
12
  config_version: 2
13

14
admin:
15
  hash: "$2y$12$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
16
  reserved: true
17
  backend_roles:
18
  - "admin"
19
  description: "Admin user"
20

21
kibanaserver:
22
  hash: "$2y$12$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
23
  reserved: true
24
  description: "OpenSearch Dashboards user"
25

26
wazuh_api:
27
  hash: "$2y$12$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
28
  reserved: false
29
  backend_roles:
30
  - "wazuh_api"
31
  description: "Wazuh API user"
32
EOF
33

34
# Configure roles
35
cat > /etc/opensearch/roles.yml << EOF
36
_meta:
37
  type: "roles"
38
  config_version: 2
39

40
wazuh_api:
41
  cluster_permissions:
42
    - "cluster:monitor/main"
43
    - "indices:admin/template/get"
44
    - "indices:admin/template/put"
45
    - "cluster:admin/ingest/pipeline/get"
46
    - "cluster:admin/ingest/pipeline/put"
47
  index_permissions:
48
    - index_patterns:
49
        - "wazuh-*"
50
      allowed_actions:
51
        - "crud"
52
        - "create_index"
53
        - "manage"
54
EOF
55

56
# Configure role mappings
57
cat > /etc/opensearch/roles_mapping.yml << EOF
58
_meta:
59
  type: "rolesmapping"
60
  config_version: 2
61

62
all_access:
63
  reserved: false
64
  backend_roles:
65
  - "admin"
66
  description: "Maps admin to all_access"
67

68
wazuh_api:
69
  reserved: false
70
  users:
71
  - "wazuh_api"
72
  description: "Maps wazuh_api user to wazuh_api role"
73
EOF
74

75
# Apply security configuration
76
cd /usr/share/opensearch/plugins/opensearch-security/tools
77
./securityadmin.sh -cd /etc/opensearch -icl -nhnv \
78
  -cacert /etc/opensearch/certs/ca.pem \
79
  -cert /etc/opensearch/certs/admin.pem \
80
  -key /etc/opensearch/certs/admin-key.pem

Step 7: Performance Optimization#

OpenSearch Performance Tuning#

1
# System settings for OpenSearch
2
cat > /etc/sysctl.d/opensearch.conf << EOF
3
# Virtual memory
4
vm.max_map_count=262144
5
vm.swappiness=1
6

7
# Network
8
net.core.somaxconn=65535
9
net.ipv4.tcp_max_syn_backlog=65535
10

11
# File descriptors
12
fs.file-max=131072
13
EOF
14

15
# Apply settings
16
sysctl -p /etc/sysctl.d/opensearch.conf
17

18
# Update limits
19
cat > /etc/security/limits.d/opensearch.conf << EOF
20
opensearch soft nofile 65535
21
opensearch hard nofile 65535
22
opensearch soft memlock unlimited
23
opensearch hard memlock unlimited
24
EOF

Query Optimization#

1
// Optimize Wazuh queries
2
{
3
  "persistent": {
4
    "search.max_buckets": 100000,
5
    "indices.query.bool.max_clause_count": 2048,
6
    "cluster.routing.allocation.total_shards_per_node": 1000
7
  },
8
  "transient": {
9
    "indices.recovery.max_bytes_per_sec": "100mb",
10
    "cluster.routing.allocation.node_concurrent_recoveries": 2,
11
    "indices.memory.index_buffer_size": "20%"
12
  }
13
}

Step 8: Monitoring and Validation#

Health Check Script#

1
#!/bin/bash
2
echo "=== Post-Migration Health Check ==="
3

4
# Check OpenSearch cluster health
5
echo "OpenSearch Cluster Health:"
6
curl -s -u admin:admin https://localhost:9200/_cluster/health?pretty
7

8
# Check Wazuh indices
9
echo -e "\nWazuh Indices:"
10
curl -s -u admin:admin https://localhost:9200/_cat/indices/wazuh-*?v
11

12
# Check Filebeat status
13
echo -e "\nFilebeat Status:"
14
systemctl status filebeat --no-pager | grep Active
15

16
# Check Wazuh API connectivity
17
echo -e "\nWazuh API Status:"
18
curl -s -u wazuh:wazuh https://localhost:55000/security/user/authenticate?raw=true
19

20
# Check Dashboard status
21
echo -e "\nWazuh Dashboard Status:"
22
systemctl status wazuh-dashboard --no-pager | grep Active
23

24
# Verify data ingestion
25
echo -e "\nRecent Alerts Count:"
26
curl -s -u admin:admin -X POST https://localhost:9200/wazuh-alerts-*/_count \
27
  -H "Content-Type: application/json" \
28
  -d '{
29
    "query": {
30
      "range": {
31
        "@timestamp": {
32
          "gte": "now-1h"
33
        }
34
      }
35
    }
36
  }' | jq '.count'

Monitoring Dashboard#

Create a monitoring dashboard in OpenSearch Dashboards:

1
{
2
  "version": "2.11.0",
3
  "objects": [
4
    {
5
      "id": "wazuh-migration-dashboard",
6
      "type": "dashboard",
7
      "attributes": {
8
        "title": "Wazuh Migration Monitoring",
9
        "panels": [
10
          {
11
            "gridData": { "x": 0, "y": 0, "w": 24, "h": 15 },
12
            "type": "visualization",
13
            "id": "cluster-health-gauge"
14
          },
15
          {
16
            "gridData": { "x": 24, "y": 0, "w": 24, "h": 15 },
17
            "type": "visualization",
18
            "id": "index-size-timeline"
19
          },
20
          {
21
            "gridData": { "x": 0, "y": 15, "w": 48, "h": 20 },
22
            "type": "visualization",
23
            "id": "alerts-per-hour"
24
          }
25
        ]
26
      }
27
    }
28
  ]
29
}

Troubleshooting#

Common Issues and Solutions#

1. Authentication Failures#

1
# Reset admin password
2
/usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p newpassword
3

4
# Update internal users
5
vim /etc/opensearch/internal_users.yml
6
# Replace admin hash with new one
7

8
# Apply changes
9
./securityadmin.sh -cd /etc/opensearch -icl -nhnv \
10
  -cacert /etc/opensearch/certs/ca.pem \
11
  -cert /etc/opensearch/certs/admin.pem \
12
  -key /etc/opensearch/certs/admin-key.pem

2. Index Compatibility Issues#

1
# Fix mapping conflicts
2
curl -X PUT "https://localhost:9200/wazuh-alerts-*/_mapping" \
3
  -u admin:admin \
4
  -H "Content-Type: application/json" \
5
  -d '{
6
    "properties": {
7
      "agent.id": {
8
        "type": "keyword"
9
      }
10
    }
11
  }'
12

13
# Reindex if needed
14
curl -X POST "https://localhost:9200/_reindex" \
15
  -u admin:admin \
16
  -H "Content-Type: application/json" \
17
  -d '{
18
    "source": {"index": "wazuh-alerts-old"},
19
    "dest": {"index": "wazuh-alerts-new"}
20
  }'

3. Performance Issues#

1
# Check slow queries
2
curl -X GET "https://localhost:9200/wazuh-*/_search" \
3
  -u admin:admin \
4
  -H "Content-Type: application/json" \
5
  -d '{
6
    "profile": true,
7
    "query": {
8
      "match_all": {}
9
    }
10
  }'
11

12
# Optimize indices
13
curl -X POST "https://localhost:9200/wazuh-*/_forcemerge?max_num_segments=1" \
14
  -u admin:admin

Rollback Plan#

Emergency Rollback Procedure#

1
#!/bin/bash
2
echo "Starting rollback to Elasticsearch..."
3

4
# Stop OpenSearch services
5
systemctl stop opensearch
6
systemctl stop wazuh-dashboard
7
systemctl stop filebeat
8

9
# Restore Elasticsearch configuration
10
cp -r /backup/wazuh-migration/$(date +%Y%m%d)/elasticsearch/* /etc/elasticsearch/
11

12
# Start Elasticsearch
13
systemctl start elasticsearch
14

15
# Restore Filebeat configuration
16
cp /backup/wazuh-migration/$(date +%Y%m%d)/filebeat.yml /etc/filebeat/
17

18
# Update output to Elasticsearch
19
sed -i 's/output.elasticsearch/output.elasticsearch/g' /etc/filebeat/filebeat.yml
20
sed -i 's/https:\/\/localhost:9200/http:\/\/localhost:9200/g' /etc/filebeat/filebeat.yml
21

22
# Start services
23
systemctl start filebeat
24
systemctl start kibana
25

26
echo "Rollback completed. Verify services are running correctly."

Best Practices#

1. Phased Migration#

Migrate in stages: Test → Development → Production
Validate each component before proceeding
Maintain parallel environments during transition

2. Data Retention#

Keep Elasticsearch backup for at least 30 days
Document all configuration changes
Test restore procedures regularly

3. Security Hardening#

1
# Disable unnecessary features
2
curl -X PUT "https://localhost:9200/_cluster/settings" \
3
  -u admin:admin \
4
  -H "Content-Type: application/json" \
5
  -d '{
6
    "persistent": {
7
      "plugins.security.audit.type": "internal_opensearch",
8
      "plugins.security.audit.config.disabled_rest_categories": ["AUTHENTICATED"],
9
      "plugins.security.audit.config.disabled_transport_categories": ["AUTHENTICATED"]
10
    }
11
  }'

4. Monitoring Setup#

1
# Metricbeat configuration for monitoring
2
metricbeat.modules:
3
  - module: elasticsearch
4
    metricsets:
5
      - node
6
      - node_stats
7
      - cluster_stats
8
      - index
9
    period: 10s
10
    hosts: ["https://localhost:9200"]
11
    username: "monitoring"
12
    password: "${MONITORING_PASSWORD}"
13
    ssl.verification_mode: "none"

Conclusion#

Migrating from Elasticsearch to OpenSearch for Wazuh provides improved security features, better performance, and long-term support. Key benefits include:

Native security plugin with fine-grained access control
Improved index lifecycle management
Better resource utilization
Active development and community support

The migration process, while complex, ensures your security monitoring infrastructure remains modern and maintainable. Regular monitoring and optimization will maximize the benefits of your new OpenSearch-based Wazuh deployment.