Complete Wazuh to OpenSearch Migration Guide: Indexer Replacement and Data Migration#

Migrating from Wazuh indexer to OpenSearch requires careful planning and execution to ensure data integrity and minimal downtime. This guide provides comprehensive instructions for different migration scenarios, from simple indexer replacement to complex multi-node cluster migrations.

Migration Overview#

Understanding the Migration Scope#

The migration from Wazuh indexer to OpenSearch involves several components:

Components to Migrate:

Index data (alerts, archives, monitoring data)
Index templates and mappings
Security configurations and users
Custom dashboards and visualizations
Backup repositories and snapshots

Migration Paths:

In-place upgrade: Replace Wazuh indexer with OpenSearch on same nodes
Side-by-side migration: Deploy new OpenSearch cluster and migrate data
Hybrid approach: Gradual replacement with data synchronization

Compatibility Matrix#

Wazuh Version	Compatible OpenSearch Version	Migration Method
4.3.x	2.3.0+	Direct replacement
4.4.x	2.8.0+	Direct replacement
4.5.x	2.11.0+	Direct replacement
4.6.x+	2.15.0+	Direct replacement

Pre-Migration Planning#

1. Environment Assessment#

Assess your current Wazuh indexer environment:

1
# Check Wazuh indexer version
2
curl -k -u admin:admin "https://localhost:9200"
3

4
# Check cluster health
5
curl -k -u admin:admin "https://localhost:9200/_cluster/health?pretty"
6

7
# List all indices
8
curl -k -u admin:admin "https://localhost:9200/_cat/indices?v"
9

10
# Check disk usage
11
curl -k -u admin:admin "https://localhost:9200/_cat/allocation?v"
12

13
# Get cluster settings
14
curl -k -u admin:admin "https://localhost:9200/_cluster/settings?pretty"

2. Data Inventory#

Create an inventory of your data:

1
#!/bin/bash
2
echo "=== Wazuh Indexer Data Inventory ==="
3

4
# Count documents per index
5
echo "Document counts:"
6
curl -s -k -u admin:admin "https://localhost:9200/_cat/indices?v&h=index,docs.count" | \
7
  grep -E "wazuh|\.security|\.kibana" | sort
8

9
# Calculate total storage
10
echo -e "\nStorage usage:"
11
curl -s -k -u admin:admin "https://localhost:9200/_cat/indices?v&h=index,store.size" | \
12
  grep -E "wazuh|\.security|\.kibana" | sort
13

14
# List templates
15
echo -e "\nIndex templates:"
16
curl -s -k -u admin:admin "https://localhost:9200/_cat/templates?v"
17

18
# List snapshots
19
echo -e "\nSnapshots:"
20
curl -s -k -u admin:admin "https://localhost:9200/_cat/snapshots?v" 2>/dev/null || echo "No snapshot repositories configured"
21

22
# Check security users
23
echo -e "\nSecurity users:"
24
curl -s -k -u admin:admin "https://localhost:9200/_plugins/_security/api/internalusers" | jq -r 'keys[]' 2>/dev/null || echo "Security plugin not accessible"

3. Backup Strategy#

Create comprehensive backups before migration:

1
# Create snapshot repository
2
curl -k -u admin:admin -X PUT "https://localhost:9200/_snapshot/pre_migration_backup" \
3
  -H 'Content-Type: application/json' -d'
4
{
5
  "type": "fs",
6
  "settings": {
7
    "location": "/backup/pre-migration",
8
    "compress": true,
9
    "chunk_size": "100MB"
10
  }
11
}'
12

13
# Create complete backup
14
curl -k -u admin:admin -X PUT "https://localhost:9200/_snapshot/pre_migration_backup/full_backup_$(date +%Y%m%d)" \
15
  -H 'Content-Type: application/json' -d'
16
{
17
  "indices": "*",
18
  "include_global_state": true,
19
  "ignore_unavailable": false
20
}'
21

22
# Backup configuration files
23
sudo tar -czf /backup/wazuh-config-$(date +%Y%m%d).tar.gz \
24
  /etc/wazuh-indexer/ \
25
  /etc/wazuh-manager/ \
26
  /etc/wazuh-dashboard/ \
27
  /etc/filebeat/

4. Downtime Planning#

Plan maintenance windows and communication:

1
# Calculate estimated downtime
2
echo "Migration time estimates:"
3
echo "- Single node (< 100GB): 30-60 minutes"
4
echo "- Single node (100GB-1TB): 1-4 hours"
5
echo "- Multi-node cluster: 2-8 hours"
6
echo "- Cross-cluster migration: 4-24 hours"
7

8
# Test migration on development environment first

Single Node Migration#

Method 1: In-Place Replacement#

This method replaces Wazuh indexer with OpenSearch on the same node:

1
#!/bin/bash
2
set -e
3

4
echo "Starting Wazuh to OpenSearch migration..."
5

6
# Step 1: Stop Wazuh services
7
echo "Stopping Wazuh services..."
8
sudo systemctl stop wazuh-dashboard
9
sudo systemctl stop filebeat
10
sudo systemctl stop wazuh-manager
11
sudo systemctl stop wazuh-indexer
12

13
# Step 2: Backup data directory
14
echo "Backing up data directory..."
15
sudo cp -r /var/lib/wazuh-indexer /backup/wazuh-indexer-backup-$(date +%Y%m%d)
16

17
# Step 3: Install OpenSearch
18
echo "Installing OpenSearch..."
19
curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo apt-key add -
20
echo "deb https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/opensearch-2.x.list
21

22
sudo apt-get update
23
sudo apt-get install opensearch=2.15.0
24

25
# Step 4: Configure OpenSearch
26
echo "Configuring OpenSearch..."
27
sudo cp /etc/wazuh-indexer/opensearch.yml /etc/opensearch/opensearch.yml.backup
28

29
cat << 'EOF' | sudo tee /etc/opensearch/opensearch.yml
30
cluster.name: wazuh-cluster
31
node.name: wazuh-node-1
32
network.host: 0.0.0.0
33
http.port: 9200
34
discovery.type: single-node
35

36
# Data paths
37
path.data: /var/lib/opensearch
38
path.logs: /var/log/opensearch
39
path.repo: /var/lib/opensearch/backup
40

41
# Memory
42
bootstrap.memory_lock: true
43

44
# Security
45
plugins.security.disabled: false
46
plugins.security.allow_default_init_securityindex: true
47
plugins.security.allow_unsafe_democertificates: true
48
EOF
49

50
# Step 5: Migrate data
51
echo "Migrating data..."
52
sudo mkdir -p /var/lib/opensearch
53
sudo cp -r /var/lib/wazuh-indexer/* /var/lib/opensearch/
54
sudo chown -R opensearch:opensearch /var/lib/opensearch
55

56
# Step 6: Start OpenSearch
57
echo "Starting OpenSearch..."
58
sudo systemctl enable opensearch
59
sudo systemctl start opensearch
60

61
# Wait for OpenSearch to start
62
sleep 30
63

64
# Step 7: Verify migration
65
echo "Verifying migration..."
66
curl -k -u admin:admin "https://localhost:9200/_cluster/health?pretty"
67
curl -k -u admin:admin "https://localhost:9200/_cat/indices?v"
68

69
echo "Migration completed successfully!"

Method 2: Side-by-Side Migration#

Deploy new OpenSearch instance and migrate data:

1
#!/bin/bash
2
# Step 1: Install OpenSearch on new port
3
sudo apt-get install opensearch=2.15.0
4

5
# Configure on port 9201 temporarily
6
cat << 'EOF' | sudo tee /etc/opensearch/opensearch.yml
7
cluster.name: wazuh-migration-cluster
8
node.name: opensearch-migration-node
9
network.host: 0.0.0.0
10
http.port: 9201
11
transport.port: 9301
12
discovery.type: single-node
13
path.data: /var/lib/opensearch-migration
14
path.logs: /var/log/opensearch-migration
15
plugins.security.disabled: true
16
EOF
17

18
# Start new OpenSearch instance
19
sudo systemctl start opensearch
20

21
# Step 2: Use reindex API to migrate data
22
echo "Migrating indices..."
23

24
# Get list of indices to migrate
25
INDICES=$(curl -s -k -u admin:admin "https://localhost:9200/_cat/indices?h=index" | grep -E "wazuh|\.security|\.kibana")
26

27
for index in $INDICES; do
28
  echo "Migrating index: $index"
29

30
  # Create index on new cluster
31
  curl -X POST "localhost:9201/_reindex" -H 'Content-Type: application/json' -d"
32
  {
33
    \"source\": {
34
      \"remote\": {
35
        \"host\": \"https://localhost:9200\",
36
        \"username\": \"admin\",
37
        \"password\": \"admin\"
38
      },
39
      \"index\": \"$index\"
40
    },
41
    \"dest\": {
42
      \"index\": \"$index\"
43
    }
44
  }"
45

46
  # Wait for reindex to complete
47
  sleep 10
48
done
49

50
# Step 3: Switch configurations
51
sudo systemctl stop wazuh-indexer
52
sudo systemctl stop opensearch
53

54
# Update OpenSearch config to use standard ports
55
sed -i 's/9201/9200/' /etc/opensearch/opensearch.yml
56
sed -i 's/9301/9300/' /etc/opensearch/opensearch.yml
57
sed -i 's/opensearch-migration/opensearch/' /etc/opensearch/opensearch.yml
58

59
# Move data to standard location
60
sudo mv /var/lib/opensearch-migration /var/lib/opensearch
61
sudo chown -R opensearch:opensearch /var/lib/opensearch
62

63
sudo systemctl start opensearch

Cluster Migration#

Rolling Migration Strategy#

For multi-node clusters, use a rolling migration approach:

1
#!/bin/bash
2
NODES=("node1" "node2" "node3")
3
CLUSTER_IP="10.0.1.10"
4

5
for node in "${NODES[@]}"; do
6
  echo "Migrating node: $node"
7

8
  # Step 1: Disable shard allocation
9
  curl -k -u admin:admin -X PUT "https://$CLUSTER_IP:9200/_cluster/settings" \
10
    -H 'Content-Type: application/json' -d'
11
  {
12
    "persistent": {
13
      "cluster.routing.allocation.enable": "primaries"
14
    }
15
  }'
16

17
  # Step 2: Stop node services on target node
18
  ssh $node "sudo systemctl stop wazuh-indexer"
19

20
  # Step 3: Install OpenSearch on target node
21
  ssh $node "
22
    curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo apt-key add -
23
    echo 'deb https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main' | sudo tee -a /etc/apt/sources.list.d/opensearch-2.x.list
24
    sudo apt-get update
25
    sudo apt-get install opensearch=2.15.0
26
  "
27

28
  # Step 4: Configure OpenSearch
29
  scp cluster-opensearch.yml $node:/tmp/
30
  ssh $node "sudo mv /tmp/cluster-opensearch.yml /etc/opensearch/opensearch.yml"
31

32
  # Step 5: Migrate data directory
33
  ssh $node "
34
    sudo cp -r /var/lib/wazuh-indexer /var/lib/opensearch
35
    sudo chown -R opensearch:opensearch /var/lib/opensearch
36
  "
37

38
  # Step 6: Start OpenSearch
39
  ssh $node "sudo systemctl enable opensearch && sudo systemctl start opensearch"
40

41
  # Step 7: Wait for node to join cluster
42
  sleep 60
43

44
  # Step 8: Re-enable shard allocation
45
  curl -k -u admin:admin -X PUT "https://$CLUSTER_IP:9200/_cluster/settings" \
46
    -H 'Content-Type: application/json' -d'
47
  {
48
    "persistent": {
49
      "cluster.routing.allocation.enable": "all"
50
    }
51
  }'
52

53
  # Step 9: Wait for cluster to stabilize
54
  while true; do
55
    status=$(curl -s -k -u admin:admin "https://$CLUSTER_IP:9200/_cluster/health" | jq -r '.status')
56
    if [ "$status" = "green" ]; then
57
      echo "Cluster is green, proceeding to next node"
58
      break
59
    fi
60
    echo "Waiting for cluster to be green (current: $status)"
61
    sleep 30
62
  done
63
done

Cluster Configuration Template#

1
cluster.name: wazuh-cluster
2
node.name: ${NODE_NAME}
3
node.roles: [cluster_manager, data, ingest]
4

5
network.host: 0.0.0.0
6
http.port: 9200
7
transport.port: 9300
8

9
# Discovery
10
discovery.seed_hosts: ["10.0.1.10", "10.0.1.11", "10.0.1.12"]
11
cluster.initial_cluster_manager_nodes: ["node1"]
12

13
# Paths
14
path.data: /var/lib/opensearch
15
path.logs: /var/log/opensearch
16
path.repo: /shared/backup
17

18
# Memory
19
bootstrap.memory_lock: true
20

21
# Security
22
plugins.security.disabled: false
23
plugins.security.allow_default_init_securityindex: true
24

25
# Performance
26
indices.memory.index_buffer_size: 10%
27
thread_pool.write.queue_size: 1000

Data Migration Strategies#

1. Snapshot and Restore#

Most reliable method for large datasets:

1
# Create snapshot on source
2
curl -k -u admin:admin -X PUT "https://source:9200/_snapshot/migration_repo/migration_snapshot" \
3
  -H 'Content-Type: application/json' -d'
4
{
5
  "indices": "wazuh-*,.security*,.kibana*",
6
  "ignore_unavailable": true,
7
  "include_global_state": true
8
}'
9

10
# Register repository on destination
11
curl -k -u admin:admin -X PUT "https://destination:9200/_snapshot/migration_repo" \
12
  -H 'Content-Type: application/json' -d'
13
{
14
  "type": "fs",
15
  "settings": {
16
    "location": "/shared/backup/migration"
17
  }
18
}'
19

20
# Restore on destination
21
curl -k -u admin:admin -X POST "https://destination:9200/_snapshot/migration_repo/migration_snapshot/_restore" \
22
  -H 'Content-Type: application/json' -d'
23
{
24
  "indices": "*",
25
  "ignore_unavailable": true,
26
  "include_global_state": true,
27
  "rename_pattern": "(.+)",
28
  "rename_replacement": "$1"
29
}'

2. Remote Reindex#

For selective data migration:

1
# Configure remote cluster
2
curl -k -u admin:admin -X PUT "https://destination:9200/_cluster/settings" \
3
  -H 'Content-Type: application/json' -d'
4
{
5
  "persistent": {
6
    "cluster.remote.source.seeds": ["source:9300"],
7
    "cluster.remote.source.username": "admin",
8
    "cluster.remote.source.password": "admin"
9
  }
10
}'
11

12
# Reindex with transformation
13
curl -k -u admin:admin -X POST "https://destination:9200/_reindex" \
14
  -H 'Content-Type: application/json' -d'
15
{
16
  "source": {
17
    "remote": {
18
      "host": "https://source:9200",
19
      "username": "admin",
20
      "password": "admin"
21
    },
22
    "index": "wazuh-alerts-*",
23
    "query": {
24
      "range": {
25
        "@timestamp": {
26
          "gte": "now-30d"
27
        }
28
      }
29
    }
30
  },
31
  "dest": {
32
    "index": "wazuh-alerts-migrated"
33
  }
34
}'

3. Logstash Pipeline#

For complex data transformation:

1
input {
2
  elasticsearch {
3
    hosts => ["https://source:9200"]
4
    user => "admin"
5
    password => "admin"
6
    index => "wazuh-alerts-*"
7
    ssl => true
8
    ssl_certificate_verification => false
9
    query => '{"query": {"match_all": {}}}'
10
    scroll => "5m"
11
    size => 1000
12
  }
13
}
14

15
filter {
16
  # Transform data if needed
17
  if [rule][id] {
18
    mutate {
19
      add_field => { "rule_id" => "%{[rule][id]}" }
20
    }
21
  }
22

23
  # Add migration metadata
24
  mutate {
25
    add_field => {
26
      "migration_timestamp" => "%{@timestamp}"
27
      "migration_source" => "wazuh-indexer"
28
    }
29
  }
30
}
31

32
output {
33
  elasticsearch {
34
    hosts => ["https://destination:9200"]
35
    user => "admin"
36
    password => "admin"
37
    index => "wazuh-alerts-%{+YYYY.MM.dd}"
38
    ssl => true
39
    ssl_certificate_verification => false
40
  }
41

42
  stdout {
43
    codec => dots
44
  }
45
}

Configuration Updates#

1. Update Wazuh Manager Configuration#

1
<ossec_config>
2
  <indexer>
3
    <enabled>yes</enabled>
4
    <hosts>
5
      <host>https://localhost:9200</host>
6
    </hosts>
7
    <ssl>
8
      <certificate_authorities>/etc/wazuh-manager/certs/root-ca.pem</certificate_authorities>
9
      <certificate>/etc/wazuh-manager/certs/wazuh-manager.pem</certificate>
10
      <key>/etc/wazuh-manager/certs/wazuh-manager-key.pem</key>
11
    </ssl>
12
  </indexer>
13
</ossec_config>

2. Update Filebeat Configuration#

1
output.elasticsearch:
2
  hosts: ["https://localhost:9200"]
3
  protocol: "https"
4
  username: "admin"
5
  password: "admin"
6
  ssl.certificate_authorities: ["/etc/filebeat/certs/root-ca.pem"]
7
  ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
8
  ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
9
  ssl.verification_mode: "certificate"
10

11
setup.template.name: "wazuh"
12
setup.template.pattern: "wazuh-alerts-*"
13
setup.template.settings:
14
  index.number_of_shards: 1
15
  index.number_of_replicas: 0

3. Update Wazuh Dashboard Configuration#

1
server.host: "0.0.0.0"
2
server.port: 443
3
opensearch.hosts: ["https://localhost:9200"]
4
opensearch.ssl.verificationMode: certificate
5
opensearch.ssl.certificateAuthorities:
6
  ["/etc/wazuh-dashboard/certs/root-ca.pem"]
7
opensearch.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem"
8
opensearch.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
9

10
opensearch.username: "kibanaserver"
11
opensearch.password: "kibanaserver"

Post-Migration Validation#

1. Health Checks#

1
#!/bin/bash
2
echo "=== Post-Migration Validation ==="
3

4
# Check cluster health
5
echo "Cluster Health:"
6
curl -k -u admin:admin "https://localhost:9200/_cluster/health?pretty"
7

8
# Verify all indices
9
echo -e "\nIndices Status:"
10
curl -k -u admin:admin "https://localhost:9200/_cat/indices?v"
11

12
# Check document counts
13
echo -e "\nDocument Counts:"
14
for index in $(curl -s -k -u admin:admin "https://localhost:9200/_cat/indices?h=index" | grep wazuh); do
15
  count=$(curl -s -k -u admin:admin "https://localhost:9200/$index/_count" | jq -r '.count')
16
  echo "$index: $count documents"
17
done
18

19
# Test search functionality
20
echo -e "\nSearch Test:"
21
curl -k -u admin:admin "https://localhost:9200/wazuh-alerts-*/_search?size=1&pretty"
22

23
# Check templates
24
echo -e "\nTemplates:"
25
curl -k -u admin:admin "https://localhost:9200/_cat/templates?v"
26

27
# Verify security
28
echo -e "\nSecurity Status:"
29
curl -k -u admin:admin "https://localhost:9200/_plugins/_security/health?pretty"

2. Performance Validation#

1
# Performance benchmark
2
curl -k -u admin:admin -X POST "https://localhost:9200/wazuh-alerts-*/_search" \
3
  -H 'Content-Type: application/json' -d'
4
{
5
  "size": 0,
6
  "aggs": {
7
    "alerts_over_time": {
8
      "date_histogram": {
9
        "field": "@timestamp",
10
        "calendar_interval": "1h"
11
      }
12
    }
13
  }
14
}'
15

16
# Check resource usage
17
curl -k -u admin:admin "https://localhost:9200/_cat/nodes?v&h=name,heap.percent,ram.percent,cpu,load_1m"

3. Data Integrity Verification#

1
#!/bin/bash
2
# Compare document counts between backup and current
3
echo "Comparing document counts..."
4

5
# Create temporary mapping file
6
curl -s -k -u admin:admin "https://localhost:9200/_cat/indices?h=index,docs.count" > current_counts.txt
7

8
# Compare with pre-migration backup
9
# (Assuming you have a snapshot of original counts)
10
diff pre_migration_counts.txt current_counts.txt || echo "Document count differences detected"
11

12
# Sample data verification
13
echo "Verifying sample data..."
14
curl -k -u admin:admin "https://localhost:9200/wazuh-alerts-*/_search?q=rule.id:5716&size=5&pretty"

Rollback Procedures#

1. Emergency Rollback Script#

1
#!/bin/bash
2
echo "Starting emergency rollback..."
3

4
# Stop current services
5
sudo systemctl stop opensearch
6
sudo systemctl stop wazuh-dashboard
7
sudo systemctl stop filebeat
8

9
# Restore from backup
10
sudo rm -rf /var/lib/opensearch
11
sudo cp -r /backup/wazuh-indexer-backup-* /var/lib/wazuh-indexer
12

13
# Reinstall Wazuh indexer
14
sudo apt-get remove --purge opensearch
15
sudo apt-get install wazuh-indexer
16

17
# Restore configurations
18
sudo cp /backup/wazuh-config-*/etc/wazuh-indexer/* /etc/wazuh-indexer/
19

20
# Start services
21
sudo systemctl start wazuh-indexer
22
sudo systemctl start wazuh-dashboard
23
sudo systemctl start filebeat
24

25
echo "Rollback completed"

2. Partial Rollback#

1
# Rollback specific indices
2
curl -k -u admin:admin -X DELETE "https://localhost:9200/problematic-index"
3

4
# Restore from snapshot
5
curl -k -u admin:admin -X POST "https://localhost:9200/_snapshot/backup_repo/pre_migration_backup/_restore" \
6
  -H 'Content-Type: application/json' -d'
7
{
8
  "indices": "problematic-index",
9
  "ignore_unavailable": true
10
}'

Best Practices and Recommendations#

Migration Checklist#

Backup all data and configurations
Test migration in development environment
Plan for adequate downtime window
Verify network connectivity and resources
Update monitoring and alerting configurations
Communicate with stakeholders
Prepare rollback procedures
Document the migration process

Performance Optimization#

1
# Post-migration optimizations
2
curl -k -u admin:admin -X PUT "https://localhost:9200/_cluster/settings" \
3
  -H 'Content-Type: application/json' -d'
4
{
5
  "persistent": {
6
    "indices.memory.index_buffer_size": "10%",
7
    "indices.memory.min_index_buffer_size": "96mb",
8
    "thread_pool.write.queue_size": 1000,
9
    "thread_pool.search.queue_size": 1000
10
  }
11
}'
12

13
# Optimize indices after migration
14
curl -k -u admin:admin -X POST "https://localhost:9200/_forcemerge?max_num_segments=1"

Security Hardening#

1
# Update default passwords
2
curl -k -u admin:admin -X PUT "https://localhost:9200/_plugins/_security/api/internalusers/admin" \
3
  -H 'Content-Type: application/json' -d'
4
{
5
  "password": "new-secure-password",
6
  "opendistro_security_roles": ["all_access"]
7
}'
8

9
# Configure proper TLS
10
# Update certificates and remove demo certificates

Conclusion#

Successfully migrating from Wazuh indexer to OpenSearch requires careful planning, proper execution, and thorough validation. This guide provides the necessary tools and procedures for different migration scenarios.

Key success factors:

Comprehensive backup strategy
Thorough testing in development
Minimal downtime planning
Post-migration validation
Ready rollback procedures

For complex environments, consider engaging with migration specialists and conduct phased migrations to minimize risk and ensure data integrity throughout the process.