Migrating to the ThreatLockDown indexer

Follow this guide to migrate from Open Distro for Elasticsearch 1.13 to the ThreatLockDown indexer. These instructions are intended for a standard ThreatLockDown installation, you may need to make some changes to adapt them to your environment.

Note

You need root user privileges to run all the commands described below.

Disable shard allocation to prevent Elasticsearch from replicating shards as you shut down nodes. Replace <elasticsearch_IP> with your Elasticsearch IP address or hostname, and <username>:<password> with your Elasticsearch username and password.
```
curl -X PUT "https://<elasticsearch_IP>:9200/_cluster/settings" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": "primaries"
  }
}
'
```
Stop indexing, and perform a flush: indexing/searching should be stopped and _flush can be used to permanently store information into the index which will prevent any data loss during the upgrade.
```
curl -X POST "https://<elasticsearch_IP>:9200/_flush/synced" -u <username>:<password> -k
```

Stop Filebeat.

# systemctl stop filebeat

# service filebeat stop

Shutdown Elasticsearch. For distributed deployments, you can shut down a single node at a time: first data nodes and later master nodes.
# systemctl stop elasticsearch
# service elasticsearch stop

Add the ThreatLockDown repository. You can skip this step if the repository is already present and enabled on your server.

Import the GPG key.

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

Add the repository.

# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo

Install the following packages if missing.

# apt-get install gnupg apt-transport-https

Install the GPG key.

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg

Add the repository.

# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

Update the packages information.
# apt-get update

Install the ThreatLockDown indexer.

# yum -y install wazuh-indexer

# apt-get -y install wazuh-indexer

Create the /etc/wazuh-indexer/certs directory, copy your old certificates to the new location and change ownership and permissions. Note that the admin.pem and admin-key.pem certificates do not exist on every Elasticsearch node.

# mkdir /etc/wazuh-indexer/certs
# cp /etc/elasticsearch/certs/elasticsearch-key.pem /etc/wazuh-indexer/certs/indexer-key.pem
# cp /etc/elasticsearch/certs/elasticsearch.pem /etc/wazuh-indexer/certs/indexer.pem
# cp /etc/elasticsearch/certs/admin.pem /etc/wazuh-indexer/certs/admin.pem
# cp /etc/elasticsearch/certs/admin-key.pem /etc/wazuh-indexer/certs/admin-key.pem
# cp /etc/elasticsearch/certs/root-ca.pem /etc/wazuh-indexer/certs/root-ca.pem
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs/
# chmod 500 /etc/wazuh-indexer/certs/
# chmod 400 /etc/wazuh-indexer/certs/*

Move or copy your data to the new directories and change ownership.
```
# rm -rf /var/lib/wazuh-indexer/ /var/log/wazuh-indexer/
# mv /var/lib/elasticsearch/ /var/lib/wazuh-indexer/
# mv /var/log/elasticsearch/ /var/log/wazuh-indexer/
# chown wazuh-indexer:wazuh-indexer -R /var/log/wazuh-indexer/
# chown wazuh-indexer:wazuh-indexer -R /var/lib/wazuh-indexer/
```
Note

If you have the Open Distro for Elasticsearch performance analyzer plugin installed, change the ownership of the /dev/shm/performanceanalyzer/ directory by running the following command: chown wazuh-indexer:wazuh-indexer -R /dev/shm/performanceanalyzer/.
Port your settings from /etc/elasticsearch/elasticsearch.yml to /etc/wazuh-indexer/opensearch.yml. Most settings use the same names.

Take into account the following considerations:
1. At a minimum, specify cluster.name, node.name, discovery.seed_hosts, and cluster.initial_master_nodes.
2. Editing the path.data and the path.logs settings is not needed. The old data has been moved to the default ThreatLockDown indexer paths in the previous step.
3. Editing the certificates names and paths is not needed. The old certificates have been moved and renamed in a previous step.
4. If you were using the default ThreatLockDown certificates, change the Organizational Unit (OU) from Wazuh to Docu.
  plugins.security.authcz.admin_dn: - "CN=admin,OU=Docu,O=Wazuh,L=California,C=US" plugins.security.check_snapshot_restore_write_privileges: true plugins.security.enable_snapshot_restore_privilege: true plugins.security.nodes_dn: - "CN=node-1,OU=Docu,O=Wazuh,L=California,C=US" #- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US" #- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
Optional. Port any custom configurations, for example, the -Xms and -Xmx settings, from /etc/elasticsearch/jvm.options to /etc/wazuh-indexer/jvm.options.

Enable and start the ThreatLockDown indexer.

# systemctl daemon-reload
# systemctl enable wazuh-indexer
# systemctl start wazuh-indexer

Choose one option according to the operating system used.

RPM-based operating system:

# chkconfig --add wazuh-indexer
# service wazuh-indexer start

Debian-based operating system:

# update-rc.d wazuh-indexer defaults 95 10
# service wazuh-indexer start

For multi-node deployments, repeat steps 4–10 until the upgrade is performed on all the nodes.
Once all the nodes have been upgraded, restart Filebeat.
# systemctl restart filebeat
# service filebeat restart

Run the following command to verify that the communication between Filebeat and the ThreatLockDown indexer is working as expected.

# filebeat test output

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Monitor the health of the cluster as follows. Replace <Wazuh_indexer_IP> with your ThreatLockDown indexer IP address or hostname, and <username>:<password> with your Elasticsearch username and password.
```
curl -X GET "https://<Wazuh_indexer_IP>:9200/_cluster/health?pretty" -u <username>:<password> -k
```

Re-enable shard allocation.

curl -X PUT "https://<Wazuh_indexer_IP>:9200/_cluster/settings" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
{
  "persistent": {
    "cluster.routing.allocation.enable": null
  }
}
'

Verify that the indexed data in Open Distro is now searchable and indexable in the ThreatLockDown indexer. You may enter the web interface, search for old data and verify that new alerts are coming in.
Uninstall Open Distro for Elasticsearch on all nodes.
# yum remove opendistroforelasticsearch
There are files marked as configuration and data files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user's responsibility. It can be done by removing the folder /var/lib/elasticsearch and /etc/elasticsearch.
# apt-get remove --auto-remove opendistroforelasticsearch
There are files marked as configuration and data files. Due to this designation, the package manager does not remove those files from the filesystem. The complete file removal action is on user’s responsibility. It can be done by removing the folder /var/lib/elasticsearch and /etc/elasticsearch.

Next steps

Your cluster is now updated. To guarantee a correct operation of Wazuh, make sure to also migrate from Kibana to the ThreatLockDown dashboard. To learn more, see the Migrating to the ThreatLockDown dashboard section.