What do you need help with?

OpenSearch Cold Storage Using S3 Bucket

Juan Romero

23-May-2025

OpenSearch Cold Storage Using S3 Bucket

Install OpenSearch S3 Plugin

Install OpenSearch S3 Plugin (if cluster, install in all nodes). This is required only if the plugin wasn't installed previously:

NOTE: For Wazuh Indexer package use the command below. For OpenSearch package, use “/usr/share/opensearch/bin/opensearch-plugin”. Other file locations referenced later in this article will also be different depending on the Indexer packa used (Wazuh Indexer or OpenSearch).

#/usr/share/wazuh-indexer/bin/opensearch-plugin install repository-s3

-> Installing repository-s3

-> Downloading repository-s3 from opensearch

[=================================================] 100%

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: plugin requires additional permissions @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

* java.lang.RuntimePermission accessDeclaredMembers

* java.lang.RuntimePermission getClassLoader

* java.lang.reflect.ReflectPermission suppressAccessChecks

* java.net.NetPermission setDefaultAuthenticator

* java.net.SocketPermission * connect,resolve

* java.util.PropertyPermission opensearch.allow_insecure_settings read,write

See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html

for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]y

-> Installed repository-s3 with folder name repository-s3

Verify KeyStore permissions after plugin install and ensure R/W permissions exist for all groups:

-rw-rw-rw- 1 root root 324 Sep 25 00:08 /etc/wazuh-indexer/opensearch.keystore

Edit /etc/wazuh-indexer/opensearch.yml and add default S3 bucket info:

### Wasabi S3 Bucket

s3.client.default.endpoint: s3.us-east-2.wasabisys.com

s3.client.default.region: us-east-2

(Modify according to region where the bucket was provisioned)

Add S3 access key and secret:

./bin/opensearch-keystore add s3.client.default.access_key

./bin/opensearch-keystore add s3.client.default.secret_key

Each command will prompt for the creds (accessjkey and secret)
that were created and assigned with the right permissions to the S3 bucket.

NOTE: The account created should have the following permissions:

"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"

Restart the Wazuh Indexer / OpenSearch service.

Configure a new Repository using Wazuh Dashboard

Logon to the Wazuh UI, from the left panel, Indexer Management – Snspshot Management:

Create a new repository:

Create:

Select custom repository and add S3 bucket settings:

{

"type": "s3",

"settings": {

"bucket": "<bucket_name>",

"base_path": "<bucket_base_path>"

}

Change bucket name

Base Path = path within the bucket to store the snapshots

Create snapshot policy and scheduler

Guidelines:

Define the scheduler according to the hot retention period:
- Example: If your hot data is available for 60 days, define the scheduler to run once every two months and backup all indices in the index set. If an index set is named “fortinet-companyA” then select the index using the wildcard: fortinet-companyA_*).
  - Different clients and different log sources can have assigned different hot data retention strategies. Always align the snapshot scheduler with the hot data period of the index set to be backed up.
- Before restoring any index from a snapshot, ensure that the restored index will be created using a prefix. Example: “restore_fortinet-companyA_10”