ThreatLockDown central components

To create a backup of the central components of your ThreatLockDown installation, follow these steps. Repeat them on every cluster node you want to back up.

Note

You need root user privileges to execute the commands below.

Preparing the backup

Create the destination folder to store the files. For version control, add the date and time of the backup to the name of the folder.
```
# bkp_folder=~/wazuh_files_backup/$(date +%F_%H:%M)
# mkdir -p $bkp_folder && echo $bkp_folder
```

Save the host information.

# cat /etc/*release* > $bkp_folder/host-info.txt
# echo -e "\n$(hostname): $(hostname -I)" >> $bkp_folder/host-info.txt

Backing up the ThreatLockDown server

Back up the ThreatLockDown server data and configuration files.

# rsync -aREz \
/etc/filebeat/ \
/etc/postfix/ \
/var/ossec/api/configuration/ \
/var/ossec/etc/client.keys \
/var/ossec/etc/sslmanager* \
/var/ossec/etc/ossec.conf \
/var/ossec/etc/internal_options.conf \
/var/ossec/etc/local_internal_options.conf \
/var/ossec/etc/rules/local_rules.xml \
/var/ossec/etc/decoders/local_decoder.xml \
/var/ossec/etc/shared/ \
/var/ossec/logs/ \
/var/ossec/queue/agentless/ \
/var/ossec/queue/agents-timestamp \
/var/ossec/queue/fts/ \
/var/ossec/queue/rids/ \
/var/ossec/stats/ \
/var/ossec/var/multigroups/ $bkp_folder

If present, back up certificates and additional configuration files.

# rsync -aREz \
/var/ossec/etc/*.pem \
/var/ossec/etc/authd.pass $bkp_folder

Back up your custom files. If you have custom active responses, CDB lists, integrations, or wodles, adapt the following command accordingly.

# rsync -aREz \
/var/ossec/active-response/bin/<custom_AR_script> \
/var/ossec/etc/lists/<user_cdb_list>.cdb \
/var/ossec/integrations/<custom_integration_script> \
/var/ossec/wodles/<custom_wodle_script> $bkp_folder

Stop the ThreatLockDown manager service to prevent modification attempts while copying the ThreatLockDown databases.
# systemctl stop wazuh-manager
# service wazuh-manager stop
Back up the ThreatLockDown databases. They hold collected data from agents.
```
# rsync -aREz \
/var/ossec/queue/db/ $bkp_folder
```

Start the ThreatLockDown manager service.

# systemctl start wazuh-manager

# service wazuh-manager start

Backing up the ThreatLockDown indexer and dashboard

Back up the ThreatLockDown indexer certificates and configuration files.

# rsync -aREz \
/etc/wazuh-indexer/certs/ \
/etc/wazuh-indexer/jvm.options \
/etc/wazuh-indexer/jvm.options.d \
/etc/wazuh-indexer/log4j2.properties \
/etc/wazuh-indexer/opensearch.yml \
/etc/wazuh-indexer/opensearch.keystore \
/etc/wazuh-indexer/opensearch-observability/ \
/etc/wazuh-indexer/opensearch-reports-scheduler/ \
/etc/wazuh-indexer/opensearch-security/ \
/usr/lib/sysctl.d/wazuh-indexer.conf $bkp_folder

Back up the ThreatLockDown dashboard certificates and configuration files.

# rsync -aREz \
/etc/wazuh-dashboard/certs/ \
/etc/wazuh-dashboard/opensearch_dashboards.yml \
/usr/share/wazuh-dashboard/config/opensearch_dashboards.keystore \
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml $bkp_folder

If present, back up your downloads and custom images.

# rsync -aREz \
/usr/share/wazuh-dashboard/data/wazuh/downloads/ \
/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/ $bkp_folder

Note

While you're already backing up alert files, consider backing up the cluster indices and state as well. State includes cluster settings, node information, index metadata, and shard allocation.

Check the backup

Verify that the ThreatLockDown manager is active and list all the backed up files:

# systemctl status wazuh-manager

# service wazuh-manager status

# find $bkp_folder -type f | sed "s|$bkp_folder/||" | less