Migration Guide: Wazuh to OpenSearch Single Node

Table of Contents#

Introduction#

This guide provides a comprehensive step-by-step process to migrate from Wazuh indexer to OpenSearch while preserving your data and configurations. This migration allows you to leverage OpenSearch’s advanced features while maintaining your existing security monitoring infrastructure.

Prerequisites#

Before starting the migration process, ensure you have:

Root access to the server
Backup of your data (highly recommended)
At least 20GB of free disk space
Basic understanding of Linux command line

Step 1: Install OpenSearch#

First, we need to install OpenSearch on your system:

1
# Install OpenSearch if not already installed
2
apt-get update
3
apt-get install -y opensearch

Step 2: Stop Services#

Before migrating data, stop both services to prevent conflicts:

1
# Stop Wazuh indexer and OpenSearch services
2
systemctl stop wazuh-indexer
3
systemctl stop opensearch

Step 3: Migrate Data Directory#

Now we’ll move the Wazuh indexer data to OpenSearch:

1
# Move Wazuh indexer data to OpenSearch
2
mv /var/lib/wazuh-indexer/* /var/lib/opensearch/
3
chown -R opensearch:opensearch /var/lib/opensearch

Step 4: Copy Certificates#

OpenSearch needs access to the same certificates used by Wazuh:

1
# Create OpenSearch certificates directory
2
mkdir -p /etc/opensearch/certs
3

4
# Copy certificates from Wazuh
5
cp /etc/wazuh-indexer/certs/indexer.pem /etc/opensearch/certs/
6
cp /etc/wazuh-indexer/certs/indexer-key.pem /etc/opensearch/certs/
7
cp /etc/wazuh-indexer/certs/root-ca.pem /etc/opensearch/certs/
8

9
# Set proper permissions
10
chown -R opensearch:opensearch /etc/opensearch/certs
11
chmod 600 /etc/opensearch/certs/indexer-key.pem
12
chmod 644 /etc/opensearch/certs/indexer.pem
13
chmod 644 /etc/opensearch/certs/root-ca.pem

Step 5: Copy Security Configuration#

Copy the security configuration from Wazuh to OpenSearch:

1
# Copy security configuration from Wazuh
2
cp /etc/wazuh-indexer/opensearch-security/roles.yml /etc/opensearch/opensearch-security/
3
cp /etc/wazuh-indexer/opensearch-security/internal_users.yml /etc/opensearch/opensearch-security/
4
cp /etc/wazuh-indexer/opensearch-security/roles_mapping.yml /etc/opensearch/opensearch-security/
5
cp /etc/wazuh-indexer/opensearch-security/config.yml /etc/opensearch/opensearch-security/
6

7
# Set proper permissions
8
chown -R opensearch:opensearch /etc/opensearch/opensearch-security/

Step 6: Configure OpenSearch#

Create or update /etc/opensearch/opensearch.yml with the following configuration:

1
# ======================== OpenSearch Configuration =========================
2

3
# ---------------------------------- Cluster -----------------------------------
4
cluster.name: "wazuh-cluster"
5

6
# ------------------------------------ Node ------------------------------------
7
node.name: "node-1"
8
node.max_local_storage_nodes: "3"
9

10
# ----------------------------------- Paths ------------------------------------
11
path.data: /var/lib/opensearch
12
path.logs: /var/log/opensearch
13

14
# ---------------------------------- Network -----------------------------------
15
network.host: "0.0.0.0"
16

17
# --------------------------------- Discovery ----------------------------------
18
discovery.type: single-node
19

20
# ---------------------------------- Security ----------------------------------
21
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/certs/indexer.pem
22
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/indexer-key.pem
23
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/certs/root-ca.pem
24
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/certs/indexer.pem
25
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/indexer-key.pem
26
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/certs/root-ca.pem
27
plugins.security.ssl.http.enabled: true
28
plugins.security.ssl.transport.enforce_hostname_verification: false
29
plugins.security.ssl.transport.resolve_hostname: false
30

31
plugins.security.authcz.admin_dn:
32
  - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
33
plugins.security.check_snapshot_restore_write_privileges: true
34
plugins.security.enable_snapshot_restore_privilege: true
35
plugins.security.nodes_dn:
36
  - "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
37
plugins.security.restapi.roles_enabled:
38
  - "all_access"
39
  - "security_rest_api_access"
40

41
plugins.security.system_indices.enabled: true
42
plugins.security.system_indices.indices:
43
  [
44
    ".plugins-ml-model",
45
    ".plugins-ml-task",
46
    ".opendistro-alerting-config",
47
    ".opendistro-alerting-alert*",
48
    ".opendistro-anomaly-results*",
49
    ".opendistro-anomaly-detector*",
50
    ".opendistro-anomaly-checkpoints",
51
    ".opendistro-anomaly-detection-state",
52
    ".opendistro-reports-*",
53
    ".opensearch-notifications-*",
54
    ".opensearch-notebooks",
55
    ".opensearch-observability",
56
    ".opendistro-asynchronous-search-response*",
57
    ".replication-metadata-store",
58
  ]
59

60
# Allow security index initialization
61
plugins.security.allow_default_init_securityindex: true
62

63
# ---------------------------------- Compatibility -----------------------------------
64
### Option to allow Filebeat-oss 7.10.2 to work ###
65
compatibility.override_main_response_version: true
66

67
# ---------------------------------- Performance Analyzer -----------------------------------
68
# Disable performance analyzer to avoid permission issues
69
performance_analyzer.enabled: false

Step 7: Start OpenSearch#

Now start the OpenSearch service:

1
# Start OpenSearch
2
systemctl start opensearch
3

4
# Wait a moment for OpenSearch to start
5
sleep 30

Step 8: Set Up OpenSearch Dashboards#

Install and configure OpenSearch Dashboards:

1
# Install OpenSearch Dashboards if not already installed
2
apt-get install -y opensearch-dashboards

Create or update /etc/opensearch-dashboards/opensearch_dashboards.yml:

1
server.host: 0.0.0.0
2
server.port: 443
3
opensearch.hosts: https://localhost:9200
4
opensearch.ssl.verificationMode: certificate
5
opensearch.username: "admin"
6
opensearch.password: "your_admin_password" # Replace with your actual password
7
opensearch.requestHeadersAllowlist: ["securitytenant", "Authorization"]
8
opensearch_security.multitenancy.enabled: true
9
opensearch_security.multitenancy.tenants.preferred: ["Global", "Private"]
10
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
11
server.ssl.enabled: true
12
server.ssl.key: "/etc/opensearch-dashboards/certs/dashboard-key.pem"
13
server.ssl.certificate: "/etc/opensearch-dashboards/certs/dashboard.pem"
14
opensearch.ssl.certificateAuthorities:
15
  ["/etc/opensearch-dashboards/certs/root-ca.pem"]
16
uiSettings.overrides.defaultRoute: /app/home
17

18
# Initially use basic auth to verify connection
19
opensearch_security.auth.type: "basic"

Step 9: Copy Dashboard Certificates#

Copy certificates for OpenSearch Dashboards:

1
# Create certificates directory
2
mkdir -p /etc/opensearch-dashboards/certs
3

4
# Copy certificates from Wazuh dashboard
5
cp /etc/wazuh-dashboard/certs/dashboard-key.pem /etc/opensearch-dashboards/certs/
6
cp /etc/wazuh-dashboard/certs/dashboard.pem /etc/opensearch-dashboards/certs/
7
cp /etc/wazuh-dashboard/certs/root-ca.pem /etc/opensearch-dashboards/certs/
8

9
# Set proper ownership and permissions
10
chown -R opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboards/certs
11
chmod 600 /etc/opensearch-dashboards/certs/dashboard-key.pem
12
chmod 644 /etc/opensearch-dashboards/certs/dashboard.pem
13
chmod 644 /etc/opensearch-dashboards/certs/root-ca.pem

Step 10: Configure OpenSearch Dashboards for Port 443#

To run OpenSearch Dashboards on port 443, we need to configure authbind:

1
# Install authbind to allow binding to port 443
2
apt-get update
3
apt-get install -y authbind
4

5
# Configure authbind for port 443
6
touch /etc/authbind/byport/443
7
chmod 500 /etc/authbind/byport/443
8
chown opensearch-dashboards /etc/authbind/byport/443
9

10
# Create a systemd override directory
11
mkdir -p /etc/systemd/system/opensearch-dashboards.service.d/
12

13
# Create the override file
14
cat > /etc/systemd/system/opensearch-dashboards.service.d/override.conf << EOF
15
[Service]
16
ExecStart=
17
ExecStart=/usr/bin/authbind --deep /usr/share/opensearch-dashboards/bin/opensearch-dashboards
18
EOF
19

20
# Reload systemd configuration
21
systemctl daemon-reload

Step 11: Start OpenSearch Dashboards#

1
# Start OpenSearch Dashboards
2
systemctl start opensearch-dashboards

Step 12: Verify Installation#

Check if everything is working correctly:

1
# Check OpenSearch Status
2
curl -k -u "admin:your_admin_password" https://localhost:9200
3

4
# Check OpenSearch Indices
5
curl -k -u "admin:your_admin_password" https://localhost:9200/_cat/indices?v

Step 13: Configure Services to Start on Boot#

Enable services to start automatically:

1
# Enable services to start on boot
2
systemctl enable opensearch
3
systemctl enable opensearch-dashboards

Step 14: Re-enable OpenID Connect (Optional)#

If you were using OpenID Connect authentication, update the OpenSearch Dashboards configuration:

1
# Update /etc/opensearch-dashboards/opensearch_dashboards.yml
2
opensearch_security.auth.type: "openid"
3

4
# The IdP metadata endpoint
5
opensearch_security.openid.connect_url: "your_openid_connect_url"
6

7
# The ID of the OpenID Connect client
8
opensearch_security.openid.client_id: "your_client_id"
9

10
# The client secret of the OpenID Connect client
11
opensearch_security.openid.client_secret: "your_client_secret"
12

13
opensearch_security.openid.base_redirect_url: "your_redirect_url"
14
opensearch_security.openid.logout_url: "your_logout_url"

Then restart OpenSearch Dashboards:

1
systemctl restart opensearch-dashboards

Troubleshooting#

Fixing Security Index Issues#

If the security index is not initializing properly:

1
# Disable OpenSearch
2
systemctl stop opensearch
3

4
# Reset the cluster state
5
rm -rf /var/lib/opensearch/nodes/0/node.lock
6
rm -rf /var/lib/opensearch/nodes/0/_state
7

8
# Start OpenSearch again
9
systemctl start opensearch

Fixing Performance Analyzer Permission Issues#

If you see performance analyzer permission errors:

1
# Create the directory with proper permissions
2
mkdir -p /dev/shm/performanceanalyzer
3
chmod 777 /dev/shm/performanceanalyzer

Fixing Connection Issues#

If OpenSearch Dashboards can’t connect to OpenSearch:

Verify OpenSearch is running: systemctl status opensearch
Check your admin password is correct in both places
Verify certificates are properly configured

Advanced Configuration#

Enabling OpenID Connect with Keycloak#

If you’re using Keycloak for authentication, here’s a sample configuration:

1
# OpenSearch Dashboards configuration for Keycloak
2
opensearch_security.auth.type: "openid"
3
opensearch_security.openid.connect_url: "https://your-keycloak-server:9443/realms/your-realm/.well-known/openid-configuration"
4
opensearch_security.openid.client_id: "opensearch"
5
opensearch_security.openid.client_secret: "your-client-secret"
6
opensearch_security.openid.base_redirect_url: "https://your-opensearch-dashboards-url"
7
opensearch_security.openid.logout_url: "https://your-keycloak-server:9443/realms/your-realm/protocol/openid-connect/logout"

Custom Index Patterns#

To use custom index patterns (like invinsense instead of wazuh):

1
# In your Wazuh configuration
2
alerts.sample.prefix: "invinsense-alerts-4.x-"
3
cron.prefix: "invinsense"
4
pattern: "invinsense-alerts-*"
5
wazuh.monitoring.pattern: "invinsense-monitoring-*"
6
vulnerabilities.pattern: "invinsense-states-vulnerabilities-*"

Conclusion#

After following these steps, you should have a working single-node OpenSearch setup migrated from your Wazuh installation. This migration preserves all your data while giving you access to OpenSearch’s advanced features and flexibility.

Remember to:

Test all functionality thoroughly before decommissioning the old Wazuh indexer
Keep backups of your data and configurations
Monitor logs for any issues during the first few days
Update any external integrations to point to the new OpenSearch endpoints

For production environments, consider:

Setting up regular snapshots for backup
Implementing proper security policies
Monitoring cluster health and performance
Planning for scaling if your data grows