Migrating to the ThreatLockDown indexer

Follow this guide to migrate from Open Distro for Elasticsearch 1.13 to the ThreatLockDown indexer. These instructions are intended for a standard ThreatLockDown installation, you may need to make some changes to adapt them to your environment.

Note

You need root user privileges to run all the commands described below.

  1. Disable shard allocation to prevent Elasticsearch from replicating shards as you shut down nodes. Replace <elasticsearch_IP> with your Elasticsearch IP address or hostname, and <username>:<password> with your Elasticsearch username and password.

    curl -X PUT "https://<elasticsearch_IP>:9200/_cluster/settings" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
    {
      "persistent": {
        "cluster.routing.allocation.enable": "primaries"
      }
    }
    '
    
  2. Stop indexing, and perform a flush: indexing/searching should be stopped and _flush can be used to permanently store information into the index which will prevent any data loss during the upgrade.

    curl -X POST "https://<elasticsearch_IP>:9200/_flush/synced" -u <username>:<password> -k
    
  3. Stop Filebeat.

    # systemctl stop filebeat
    
  4. Shutdown Elasticsearch. For distributed deployments, you can shut down a single node at a time: first data nodes and later master nodes.

    # systemctl stop elasticsearch
    
  5. Add the ThreatLockDown repository. You can skip this step if the repository is already present and enabled on your server.

    1. Import the GPG key.

      # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
      
    2. Add the repository.

      # echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
      
  6. Install the ThreatLockDown indexer.

    # yum -y install wazuh-indexer
    
  7. Create the /etc/wazuh-indexer/certs directory, copy your old certificates to the new location and change ownership and permissions. Note that the admin.pem and admin-key.pem certificates do not exist on every Elasticsearch node.

    # mkdir /etc/wazuh-indexer/certs
    # cp /etc/elasticsearch/certs/elasticsearch-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
    # cp /etc/elasticsearch/certs/elasticsearch.pem /etc/wazuh-indexer/certs/indexer.pem
    # cp /etc/elasticsearch/certs/admin.pem /etc/wazuh-indexer/certs/admin.pem
    # cp /etc/elasticsearch/certs/admin-key.pem /etc/wazuh-indexer/certs/admin-key.pem
    # cp /etc/elasticsearch/certs/root-ca.pem /etc/wazuh-indexer/certs/root-ca.pem
    # chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs/
    # chmod 500 /etc/wazuh-indexer/certs/
    # chmod 400 /etc/wazuh-indexer/certs/*
    
  8. Move or copy your data to the new directories and change ownership.

    # rm -rf /var/lib/wazuh-indexer/ /var/log/wazuh-indexer/
    # mv /var/lib/elasticsearch/ /var/lib/wazuh-indexer/
    # mv /var/log/elasticsearch/ /var/log/wazuh-indexer/
    # chown wazuh-indexer:wazuh-indexer -R /var/log/wazuh-indexer/
    # chown wazuh-indexer:wazuh-indexer -R /var/lib/wazuh-indexer/
    

    Note

    If you have the Open Distro for Elasticsearch performance analyzer plugin installed, change the ownership of the /dev/shm/performanceanalyzer/ directory by running the following command: chown wazuh-indexer:wazuh-indexer -R /dev/shm/performanceanalyzer/.

  9. Port your settings from /etc/elasticsearch/elasticsearch.yml to /etc/wazuh-indexer/opensearch.yml. Most settings use the same names.

    Take into account the following considerations:

    1. At a minimum, specify cluster.name, node.name, discovery.seed_hosts, and cluster.initial_master_nodes.

    2. Editing the path.data and the path.logs settings is not needed. The old data has been moved to the default ThreatLockDown indexer paths in the previous step.

    3. Editing the certificates names and paths is not needed. The old certificates have been moved and renamed in a previous step.

    4. If you were using the default ThreatLockDown certificates, change the Organizational Unit (OU) from Wazuh to Docu.

      plugins.security.authcz.admin_dn:
      - "CN=admin,OU=Docu,O=Wazuh,L=California,C=US"
      plugins.security.check_snapshot_restore_write_privileges: true
      plugins.security.enable_snapshot_restore_privilege: true
      plugins.security.nodes_dn:
      - "CN=node-1,OU=Docu,O=Wazuh,L=California,C=US"
      #- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
      #- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
      
  10. Optional. Port any custom configurations, for example, the -Xms and -Xmx settings, from /etc/elasticsearch/jvm.options to /etc/wazuh-indexer/jvm.options.

  11. Enable and start the ThreatLockDown indexer.

    # systemctl daemon-reload
    # systemctl enable wazuh-indexer
    # systemctl start wazuh-indexer
    
  12. For multi-node deployments, repeat steps 4–10 until the upgrade is performed on all the nodes.

  13. Once all the nodes have been upgraded, restart Filebeat.

    # systemctl restart filebeat
    
  14. Run the following command to verify that the communication between Filebeat and the ThreatLockDown indexer is working as expected.

    # filebeat test output
    
    elasticsearch: https://127.0.0.1:9200...
      parse url... OK
      connection...
        parse host... OK
        dns lookup... OK
        addresses: 127.0.0.1
        dial up... OK
      TLS...
        security: server's certificate chain verification is enabled
        handshake... OK
        TLS version: TLSv1.3
        dial up... OK
      talk to server... OK
      version: 7.10.2
    
  15. Monitor the health of the cluster as follows. Replace <Wazuh_indexer_IP> with your ThreatLockDown indexer IP address or hostname, and <username>:<password> with your Elasticsearch username and password.

    curl -X GET "https://<Wazuh_indexer_IP>:9200/_cluster/health?pretty" -u <username>:<password> -k
    
  16. Re-enable shard allocation.

    curl -X PUT "https://<Wazuh_indexer_IP>:9200/_cluster/settings" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
    {
      "persistent": {
        "cluster.routing.allocation.enable": null
      }
    }
    '
    
  17. Verify that the indexed data in Open Distro is now searchable and indexable in the ThreatLockDown indexer. You may enter the web interface, search for old data and verify that new alerts are coming in.

  18. Uninstall Open Distro for Elasticsearch on all nodes.

    # yum remove opendistroforelasticsearch
    

    There are files marked as configuration and data files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user's responsibility. It can be done by removing the folder /var/lib/elasticsearch and /etc/elasticsearch.

Next steps

Your cluster is now updated. To guarantee a correct operation of Wazuh, make sure to also migrate from Kibana to the ThreatLockDown dashboard. To learn more, see the Migrating to the ThreatLockDown dashboard section.