Skip to main content
This guide focuses on backing up and restoring the assets managed by the Wazuh dashboard itself, ensuring you can recover your configuration, customizations, and saved objects in case of system failure or migration.

What to Back Up

The following assets should be included in your backup strategy:

Dashboard Configuration

  • Main configuration file: /etc/wazuh-dashboard/opensearch_dashboards.yml
  • Contains server settings, API connections, and plugin configurations
  • Critical for dashboard startup and connectivity

TLS Certificates

  • Certificate directory: /etc/wazuh-dashboard/certs/
  • Includes SSL/TLS certificates and keys
  • Required for secure communication with indexer and manager
  • Contains:
    • dashboard.crt - Dashboard SSL certificate
    • dashboard.key - Dashboard SSL private key
    • root-ca.pem - Certificate Authority certificate

Saved Objects

  • Dashboards
  • Visualizations
  • Index patterns
  • Searches
  • Custom queries
  • Reports configurations
These are exported from the UI as .ndjson files.

Custom Branding Assets

  • Custom images directory: /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/images/
  • Contains custom logos and branding elements (if used)
  • Only needed if custom branding is configured

Additional Files to Consider

  • Plugin configurations
  • Custom scripts
  • Integration configurations
  • Documentation of custom settings

Backup Procedures

Manual Backup

1. Export Saved Objects

Export saved objects through the dashboard UI:
  1. Open Dashboard management > Dashboards Management > Saved objects.
  2. Export the required objects, or use Export all objects to export everything.
  3. Save the .ndjson file to a secure location.

2. Backup Configuration Files

Create a timestamped backup of the configuration directory: 
# Create backup directory
sudo mkdir -p /root/wazuh-dashboard-backups

# Backup entire configuration directory
sudo cp -a /etc/wazuh-dashboard/ /root/wazuh-dashboard-backups/wazuh-dashboard-$(date +%Y%m%d-%H%M%S)/

# Verify backup
ls -la /root/wazuh-dashboard-backups/

3. Backup Certificates

Create a separate backup of certificates: 
# Backup certificates with secure permissions
sudo mkdir -p /root/wazuh-dashboard-backups/certs-$(date +%Y%m%d-%H%M%S)
sudo cp -a /etc/wazuh-dashboard/certs/* /root/wazuh-dashboard-backups/certs-$(date +%Y%m%d-%H%M%S)/

# Verify certificate backup
sudo ls -la /root/wazuh-dashboard-backups/certs-*/

4. Backup Custom Branding

If you have custom branding configured: 
# Backup custom branding assets
sudo mkdir -p /root/wazuh-dashboard-backups/custom-branding-$(date +%Y%m%d-%H%M%S)
sudo cp -a /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/ \
  /root/wazuh-dashboard-backups/custom-branding-$(date +%Y%m%d-%H%M%S)/

5. Document Custom Settings

Create a record of your configuration: 
# Extract non-commented settings
grep -v "^#" /etc/wazuh-dashboard/opensearch_dashboards.yml | grep -v "^$" \
  > /root/wazuh-dashboard-backups/custom-settings-$(date +%Y%m%d-%H%M%S).txt

# Document plugin configuration
sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin list \
  > /root/wazuh-dashboard-backups/plugins-list-$(date +%Y%m%d-%H%M%S).txt

Automated Backup Script

Create a backup script for regular automated backups: 
#!/bin/bash
# Wazuh Dashboard Backup Script

BACKUP_DIR="/root/wazuh-dashboard-backups"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
BACKUP_NAME="wazuh-dashboard-backup-${TIMESTAMP}"

# Create backup directory
mkdir -p "${BACKUP_DIR}/${BACKUP_NAME}"

# Backup configuration
cp -a /etc/wazuh-dashboard/ "${BACKUP_DIR}/${BACKUP_NAME}/config/"

# Backup custom branding (if exists)
if [ -d /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/ ]; then
    cp -a /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/ \
      "${BACKUP_DIR}/${BACKUP_NAME}/custom-branding/"
fi

# Document settings
grep -v "^#" /etc/wazuh-dashboard/opensearch_dashboards.yml | grep -v "^$" \
  > "${BACKUP_DIR}/${BACKUP_NAME}/custom-settings.txt"

# List installed plugins
sudo -u wazuh-dashboard /usr/share/wazuh-dashboard/bin/opensearch-dashboards-plugin list \
  > "${BACKUP_DIR}/${BACKUP_NAME}/plugins-list.txt"

# Create archive
tar -czf "${BACKUP_DIR}/${BACKUP_NAME}.tar.gz" -C "${BACKUP_DIR}" "${BACKUP_NAME}"

# Remove uncompressed backup
rm -rf "${BACKUP_DIR}/${BACKUP_NAME}"

# Remove backups older than 30 days
find "${BACKUP_DIR}" -name "wazuh-dashboard-backup-*.tar.gz" -mtime +30 -delete

echo "Backup completed: ${BACKUP_DIR}/${BACKUP_NAME}.tar.gz"
Make the script executable and schedule it with cron: 
# Make script executable
chmod +x /usr/local/bin/wazuh-dashboard-backup.sh

# Add to crontab (daily at 2 AM)
crontab -e
# Add this line:
# 0 2 * * * /usr/local/bin/wazuh-dashboard-backup.sh >> /var/log/wazuh-dashboard-backup.log 2>&1

Export Saved Objects via API

Export saved objects programmatically: 
curl -X POST "https://localhost:5601/api/saved_objects/_export" \
  -H "osd-xsrf: true" \
  -H "Content-Type: application/json" \
  -u admin:admin \
  -d '{
    "type": [
      "dashboard",
      "visualization",
      "search",
      "index-pattern"
    ]
  }' \
  -o saved-objects-backup-$(date +%Y%m%d-%H%M%S).ndjson

Restore Procedures

Complete Restore

Restore the dashboard from a complete backup:

1. Install Wazuh Dashboard

Reinstall the Wazuh dashboard package on the target host: Debian/Ubuntu: 
apt-get update
apt-get install wazuh-dashboard=5.0.0-1
RHEL/CentOS: 
yum install wazuh-dashboard-5.0.0-1

2. Stop the Dashboard Service

systemctl stop wazuh-dashboard

3. Restore Configuration Files

Restore the configuration directory: 
# Remove default configuration
sudo rm -rf /etc/wazuh-dashboard/*

# Restore from backup
sudo cp -a /root/wazuh-dashboard-backups/wazuh-dashboard-YYYYMMDD-HHMMSS/config/* /etc/wazuh-dashboard/

# Or extract from archive
tar -xzf /root/wazuh-dashboard-backups/wazuh-dashboard-backup-YYYYMMDD-HHMMSS.tar.gz -C /tmp/
sudo cp -a /tmp/wazuh-dashboard-backup-YYYYMMDD-HHMMSS/config/* /etc/wazuh-dashboard/

4. Restore Certificates

# Ensure certificates directory exists
sudo mkdir -p /etc/wazuh-dashboard/certs/

# Restore certificates
sudo cp -a /root/wazuh-dashboard-backups/certs-YYYYMMDD-HHMMSS/* /etc/wazuh-dashboard/certs/

# Set correct permissions
sudo chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs/
sudo chmod 600 /etc/wazuh-dashboard/certs/*.key
sudo chmod 644 /etc/wazuh-dashboard/certs/*.crt
sudo chmod 644 /etc/wazuh-dashboard/certs/*.pem

5. Restore Custom Branding

If you have custom branding: 
# Restore custom branding assets
sudo cp -a /root/wazuh-dashboard-backups/custom-branding-YYYYMMDD-HHMMSS/* \
  /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/

# Set correct ownership
sudo chown -R wazuh-dashboard:wazuh-dashboard \
  /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom/

6. Set File Permissions

# Set ownership
sudo chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/
sudo chown -R wazuh-dashboard:wazuh-dashboard /usr/share/wazuh-dashboard/

# Set permissions
sudo chmod 640 /etc/wazuh-dashboard/opensearch_dashboards.yml

7. Start the Dashboard Service

systemctl daemon-reload
systemctl enable wazuh-dashboard
systemctl start wazuh-dashboard

8. Verify Service Status

# Check service status
systemctl status wazuh-dashboard

# Monitor logs
sudo tail -f /var/log/wazuh-dashboard/opensearch_dashboards.log

9. Import Saved Objects

Restore saved objects through the UI:
  1. Access the dashboard at https://<DASHBOARD_IP>/app/wz-home
  2. Navigate to Dashboard management > Dashboard Management > Saved objects
  3. Click Import
  4. Select your backed-up .ndjson file
  5. Handle conflicts appropriately
  6. Click Import

Partial Restore

Restore Configuration Only

# Backup current configuration
sudo cp /etc/wazuh-dashboard/opensearch_dashboards.yml \
  /etc/wazuh-dashboard/opensearch_dashboards.yml.bak

# Restore from backup
sudo cp /root/wazuh-dashboard-backups/wazuh-dashboard-YYYYMMDD-HHMMSS/config/opensearch_dashboards.yml \
  /etc/wazuh-dashboard/opensearch_dashboards.yml

# Restart service
sudo systemctl restart wazuh-dashboard

Restore Certificates Only

# Stop service
sudo systemctl stop wazuh-dashboard

# Backup current certificates
sudo cp -a /etc/wazuh-dashboard/certs/ /etc/wazuh-dashboard/certs.bak/

# Restore certificates
sudo cp -a /root/wazuh-dashboard-backups/certs-YYYYMMDD-HHMMSS/* /etc/wazuh-dashboard/certs/

# Set permissions
sudo chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs/
sudo chmod 600 /etc/wazuh-dashboard/certs/*.key

# Start service
sudo systemctl start wazuh-dashboard

Import Specific Saved Objects

Import only specific types of saved objects: 
# Export specific types from backup file
curl -X POST "https://localhost:5601/api/saved_objects/_import" \
  -H "osd-xsrf: true" \
  -u admin:admin \
  --form [email protected]

Backup Best Practices

Backup Frequency

  • Configuration files: Before any changes or upgrades
  • Saved objects: Weekly or after significant customizations
  • Certificates: Before renewal or changes
  • Complete backups: Daily or weekly depending on change frequency

Backup Storage

Store backups in a secure location separate from the dashboard server to protect against hardware failure or data loss.
  • Use remote storage (NAS, cloud storage, backup server)
  • Encrypt sensitive backups (especially those containing certificates)
  • Maintain multiple backup versions
  • Test backup integrity regularly
  • Document backup and restore procedures

Backup Retention

  • Keep daily backups for 7 days
  • Keep weekly backups for 4 weeks
  • Keep monthly backups for 12 months
  • Adjust retention based on compliance requirements

Security Considerations

  • Secure backup storage with appropriate permissions
  • Encrypt backups containing sensitive data
  • Protect certificate private keys
  • Limit access to backup files
  • Audit backup access regularly

Disaster Recovery

Recovery Time Objective (RTO)

Expected time to restore dashboard functionality:
  • Configuration restore: 10-15 minutes
  • Complete restore: 30-60 minutes
  • Includes service restart and verification

Recovery Point Objective (RPO)

Acceptable data loss window:
  • Configuration changes: Based on backup frequency
  • Saved objects: Last export timestamp
  • Consider more frequent backups for critical environments

Disaster Recovery Testing

Regularly test your backup and restore procedures:
  1. Schedule periodic recovery tests
  2. Document test results
  3. Update procedures based on findings
  4. Train team members on restore procedures
  5. Maintain current documentation

Troubleshooting Restore Issues

Service Fails to Start After Restore

Solutions:
  1. Check configuration file syntax
  2. Verify certificate paths and permissions
  3. Review logs for specific errors
  4. Ensure indexer connectivity
  5. Verify file ownership and permissions

Saved Objects Import Fails

Solutions:
  1. Verify .ndjson file integrity
  2. Check version compatibility
  3. Import in smaller batches
  4. Use overwrite option for conflicts
  5. Check for index pattern dependencies

Certificate Validation Errors

Solutions:
  1. Verify certificate files are complete
  2. Check certificate expiration dates
  3. Ensure correct certificate format
  4. Verify certificate chain is complete
  5. Check certificate permissions

Additional Resources

  • Configuration reference: Review configuration options
  • Security hardening: Protect backup data
  • Upgrade procedures: Backup before upgrades
  • Migration guide: Backup before major migrations

Build docs developers (and LLMs) love

Get started for freeTalk to us