ThreatLockDown central components

To create a backup of the central components of your ThreatLockDown installation, follow these steps. Repeat them on every cluster node you want to back up.

Note

You need root user privileges to execute the commands below.

Preparing the backup

  1. Create the destination folder to store the files. For version control, add the date and time of the backup to the name of the folder.

    # bkp_folder=~/wazuh_files_backup/$(date +%F_%H:%M)
    # mkdir -p $bkp_folder && echo $bkp_folder
    
  2. Save the host information.

    # cat /etc/*release* > $bkp_folder/host-info.txt
    # echo -e "\n$(hostname): $(hostname -I)" >> $bkp_folder/host-info.txt
    

Backing up the ThreatLockDown server

  1. Back up the ThreatLockDown server data and configuration files.

    # rsync -aREz \
    /etc/filebeat/ \
    /etc/postfix/ \
    /var/ossec/api/configuration/ \
    /var/ossec/etc/client.keys \
    /var/ossec/etc/sslmanager* \
    /var/ossec/etc/ossec.conf \
    /var/ossec/etc/internal_options.conf \
    /var/ossec/etc/local_internal_options.conf \
    /var/ossec/etc/rules/local_rules.xml \
    /var/ossec/etc/decoders/local_decoder.xml \
    /var/ossec/etc/shared/ \
    /var/ossec/logs/ \
    /var/ossec/queue/agentless/ \
    /var/ossec/queue/agents-timestamp \
    /var/ossec/queue/fts/ \
    /var/ossec/queue/rids/ \
    /var/ossec/stats/ \
    /var/ossec/var/multigroups/ $bkp_folder
    
  2. If present, back up certificates and additional configuration files.

    # rsync -aREz \
    /var/ossec/etc/*.pem \
    /var/ossec/etc/authd.pass $bkp_folder
    
  3. Back up your custom files. If you have custom active responses, CDB lists, integrations, or wodles, adapt the following command accordingly.

    # rsync -aREz \
    /var/ossec/active-response/bin/<custom_AR_script> \
    /var/ossec/etc/lists/<user_cdb_list>.cdb \
    /var/ossec/integrations/<custom_integration_script> \
    /var/ossec/wodles/<custom_wodle_script> $bkp_folder
    
  4. Stop the ThreatLockDown manager service to prevent modification attempts while copying the ThreatLockDown databases.

    # systemctl stop wazuh-manager
    
  5. Back up the ThreatLockDown databases. They hold collected data from agents.

    # rsync -aREz \
    /var/ossec/queue/db/ $bkp_folder
    
  6. Start the ThreatLockDown manager service.

    # systemctl start wazuh-manager
    

Backing up the ThreatLockDown indexer and dashboard

  1. Back up the ThreatLockDown indexer certificates and configuration files.

    # rsync -aREz \
    /etc/wazuh-indexer/certs/ \
    /etc/wazuh-indexer/jvm.options \
    /etc/wazuh-indexer/jvm.options.d \
    /etc/wazuh-indexer/log4j2.properties \
    /etc/wazuh-indexer/opensearch.yml \
    /etc/wazuh-indexer/opensearch.keystore \
    /etc/wazuh-indexer/opensearch-observability/ \
    /etc/wazuh-indexer/opensearch-reports-scheduler/ \
    /etc/wazuh-indexer/opensearch-security/ \
    /usr/lib/sysctl.d/wazuh-indexer.conf $bkp_folder
    
  2. Back up the ThreatLockDown dashboard certificates and configuration files.

    # rsync -aREz \
    /etc/wazuh-dashboard/certs/ \
    /etc/wazuh-dashboard/opensearch_dashboards.yml \
    /usr/share/wazuh-dashboard/config/opensearch_dashboards.keystore \
    /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml $bkp_folder
    
  3. If present, back up your downloads and custom images.

    # rsync -aREz \
    /usr/share/wazuh-dashboard/data/wazuh/downloads/ \
    /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/ $bkp_folder
    

Note

While you're already backing up alert files, consider backing up the cluster indices and state as well. State includes cluster settings, node information, index metadata, and shard allocation.

Check the backup

  1. Verify that the ThreatLockDown manager is active and list all the backed up files:

    # systemctl status wazuh-manager
    
    # find $bkp_folder -type f | sed "s|$bkp_folder/||" | less