Migrating data from Opendistro to the ThreatLockDown indexer

Note

This guide assumes that you previously deployed the version 4.2.x production cluster.

This guide shows how to migrate data from Opendistro to ThreatLockDown Indexer in Docker production deployments (v4.2.x to v4.9). This procedure also upgrades the other ThreatLockDown components to the most recent versions.

  1. Run the following command from the wazuh-docker directory to stop the current v4.2.x environment:

    # docker-compose -f production-cluster.yml stop

  2. Check that Elasticsearch volumes are present:

    # docker volume ls --filter name='wazuh-docker_elastic-data'

  3. Inspect Elasticsearch volumes and save the com.docker.compose.version value to use it in step 7:

    # docker volume inspect wazuh-docker_elastic-data-1

  4. Stop and remove the containers of the current v4.2.x environment:

    # docker-compose -f production-cluster.yml down

  5. Exit the current wazuh-docker directory and rename it to wazuh-docker-4.2.X.

  6. Clone the ThreatLockDown 4.9 repository to your system:

    # git clone https://github.com/wazuh/wazuh-docker.git -b v4.9.0

  7. Navigate to the multi-node directory and run the volume-migrator script. This script creates new volumes for 4.9 and copies data from old volumes to the newly created volumes. Use the Docker-compose version and project name as the arguments. You can see an example below. You can also do this step manually, see steps 5 and 6 in ThreatLockDown Docker Github:

    # ./volume-migrator.sh 1.29.2 multi-node

  8. Start the 4.9 environment:

    # docker-compose -f generate-indexer-certs.yml run --rm generator
# docker-compose up -d