Wazuh-DB backup restoration
ThreatLockDown by default performs automatic backups of the global.db database. These snapshots may be useful to recover critical information. Wazuh-DB will restore the last backup available in case of failure during the upgrade. If this process also fails, the restoration must be done manually.
Manual restore process
The first step is to turn off ThreatLockDown manager:
For Systemd:
# systemctl stop wazuh-manager
For SysV Init:
# service wazuh-manager stop
Then, locate the backup to restore. It is stored in WAZUH_HOME/backup/db
with a name format similar to global.db-backup-TIMESTAMP-pre_upgrade.gz
.
Note
This process is valid for all the backups in the folder. Snapshots names containing the special tag pre_upgrade were created right before upgrading the ThreatLockDown server. Any other snapshot is a periodical backup created according to the backup setting.
Decompress it. Always use the -k flag to preserve the original file:
# gzip -dk WAZUH_HOME/backup/db/global.db-backup-TIMESTAMP-pre_upgrade.gz
Remove the current global.db database and move the backup to the right location:
# rm WAZUH_HOME/queue/db/global.db # mv WAZUH_HOME/backup/db/global.db-backup-TIMESTAMP-pre_upgrade WAZUH_HOME/queue/db/global.db
And finally, start Wazuh:
For Systemd:
# systemctl start wazuh-manager
For SysV Init:
# service wazuh-manager start