wazuh-packages
wazuh-packages copied to clipboard
wazuh
Add upgrade option to the unattended script
Hello team!
The aim of this issue is to add the option of upgrading the installation.
The script will check if any of the components of Wazuh are installed, if so, will check the version of then. If the version of the components is not the latest, will prompt a message to inform the user to run the script with the option -u, this will create a backup of the user data and upgrade the present components.
Regards,
David
UPDATE
- Add new function file for upgrade
- Add upgrade functions
- Add -u/--upgrade option to main
Update
Improve mechanism to check if the upgrade is available, now for apt we use:
apt-get install wazuh-manager=${wazuh_version}-* --dry-run |grep "The following packages will be upgraded:"
to check if we can upgrade to the version of the script.
And for yum we use:
yum install wazuh-manager-4.3.5 --setopt tsflags=test -y
To make a test installation and check if the upgrade is possible.
Update
- Apply changes and test new script.
We found that the yum command takes a bit too long so we have decided to use:
yum list wazuh-manager --show-duplicates | tail -n +8 | grep -A 5000 "4.3.0"
To get the packages that upgrade the installed one in a faster way.
- Fix typo in README.
Update
Test changes and apply some improvements:
[root@ip-172-31-21-23 unattended_installer]# bash wazuh-install.sh -up
10/11/2022 15:08:40 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
10/11/2022 15:08:40 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10/11/2022 15:08:42 INFO: --- Upgrading existing Wazuh installation ---
10/11/2022 15:08:49 INFO: Upgrading Wazuh manager to 4.4.0assistant version
10/11/2022 15:08:49 WARNING: Filebeat is already installed and is up to date.
10/11/2022 15:08:49 INFO: Upgrading Filebeat module to 0.2
10/11/2022 15:08:49 INFO: Upgrading Wazuh indexer to 4.4.0
10/11/2022 15:08:49 INFO: Upgrading Wazuh dashboard to 4.4.0
Update
Fix minor errors:
- Error in DEB packages while checking if Filebeat is upgradeable:
30/11/2022 16:11:35 INFO: Wazuh development repository added.
30/11/2022 16:11:35 INFO: --- Upgrading existing Wazuh installation ---
E: Version '7.10.2-*' for 'filebeat' was not found
Fixed by removing revision from apt command:
filebeat_upgradable=$(apt-get install filebeat=${filebeat_version} --dry-run |grep "The following packages will be upgraded:")
instead of:
filebeat_upgradable=$(apt-get install filebeat=${filebeat_version}-* --dry-run |grep "The following packages will be upgraded:")
- Fix an error where the script tried to upgrade packages to the same version in RPM systems:
[root@localhost vagrant]# bash wazuh-install.sh -up
30/11/2022 16:27:14 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
30/11/2022 16:27:14 INFO: Verbose logging redirected to /var/log/wazuh-install.log
30/11/2022 16:27:18 INFO: Wazuh development repository added.
30/11/2022 16:27:18 INFO: --- Upgrading existing Wazuh installation ---
30/11/2022 16:27:20 INFO: Upgrading Wazuh Manager to 4.4.0
30/11/2022 16:28:28 INFO: Starting service wazuh-manager.
30/11/2022 16:28:28 INFO: wazuh-manager service started.
30/11/2022 16:28:28 INFO: Upgrading Filebeat to 7.10.2
30/11/2022 16:28:35 INFO: Upgrading Filebeat module to 0.2
30/11/2022 16:28:37 INFO: Starting service filebeat.
30/11/2022 16:28:37 INFO: filebeat service started.
30/11/2022 16:28:37 INFO: Upgrading Wazuh Indexer to 4.4.0
30/11/2022 16:29:55 INFO: Starting service wazuh-indexer.
30/11/2022 16:29:55 INFO: wazuh-indexer service started.
30/11/2022 16:29:55 INFO: Upgrading Wazuh Dashboard to 4.4.0
30/11/2022 16:31:35 INFO: Starting service wazuh-dashboard.
30/11/2022 16:31:35 INFO: wazuh-dashboard service started.
As we can see here the package upgraded Filebeat to 7.10.2, this was fixed by removing the first line in the command:
yum list filebeat --show-duplicates | tail -n +8 | grep -A 5000 ${filebeat_installed} | grep ${filebeat_version} | tail -n +2
Add improvements:
- Make the
common_checkInstalledfunction return the version of the installed package:
if [ "${sys_type}" == "yum" ]; then
wazuh_installed=$(yum list installed 2>/dev/null | grep wazuh-manager | sed 's/ */ /g'| cut -d' ' -f2 | sed "s/-.*//g")
elif [ "${sys_type}" == "apt-get" ]; then
wazuh_installed=$(apt list --installed 2>/dev/null | grep wazuh-manager | cut -d' ' -f2 | sed -e "s/-.*//")
fi
https://github.com/wazuh/wazuh-packages/pull/1771/commits/c2f13343eaba2687cbf4356b33b590987a5a02db
- Improve messages:
common_logger -w "Wazuh Indexer is already installed and the version is equal or greater than ${wazuh_version}."
- Remove unused messages:
common_logger -w "Wazuh Indexer is already installed and is up to date."
- Add repository before upgrading in case the repository was removed:
if [ -n "${upgrade}" ]; then
installCommon_addWazuhRepo
upgrade_upgradeInstalled
https://github.com/wazuh/wazuh-packages/pull/1771/commits/343a83510ad0658bb470f9e715a0b4c2572a9c5a
Testing
Test script in various systems:
- CentOS 7
- CentOS 8
- RHEL 9
- Ubuntu 18
- Ubuntu 20
- Ubuntu 1822
Update
Work on documentation:
- Add a new page to the upgrade guide for upgrading central components using the script.
- Set the link from the main upgrade page to the new page.
- Rename old main components upgrade guide to
upgrading central components step-by-step
@DFolchA
I found a bug with the --show-duplicates argument for the yum list command on Centos 8, possibly deprecated for this version of yum:
[root@centos8 ~]# yum list wazuh-indexer --show-duplicates
usage: yum list [-c [config file]] [-q] [-v] [--version]
[--installroot [path]] [--nodocs] [--noplugins]
[--enableplugin [plugin]] [--disableplugin [plugin]]
[--releasever RELEASEVER] [--setopt SETOPTS] [--skip-broken]
[-h] [--allowerasing] [-b | --nobest] [-C] [-R [minutes]]
[-d [debug level]] [--debugsolver] [--showduplicates]
[-e ERRORLEVEL] [--obsoletes]
[--rpmverbosity [debug level name]] [-y] [--assumeno]
[--enablerepo [repo]] [--disablerepo [repo] | --repo [repo]]
[--enable | --disable] [-x [package]]
[--disableexcludes [repo]] [--repofrompath [repo,path]]
[--noautoremove] [--nogpgcheck] [--color COLOR] [--refresh]
[-4] [-6] [--destdir DESTDIR] [--downloadonly]
[--comment COMMENT] [--bugfix] [--enhancement] [--newpackage]
[--security] [--advisory ADVISORY] [--bz BUGZILLA]
[--cve CVES]
[--sec-severity {Critical,Important,Moderate,Low}]
[--forcearch ARCH]
[--all | --available | --installed | --extras | --updates | --upgrades | --autoremove | --recent]
[PACKAGE [PACKAGE ...]]
yum list: error: unrecognized arguments: --show-duplicates
[root@centos8 ~]# yum --version
4.7.0
Installed: dnf-0:4.7.0-4.el8.noarch at Mon 18 Apr 2022 07:16:01 AM GMT
Built : CentOS Buildsys <[email protected]> at Fri 17 Sep 2021 07:06:14 PM GMT
Installed: rpm-0:4.14.3-19.el8.x86_64 at Mon 18 Apr 2022 07:15:15 AM GMT
Built : CentOS Buildsys <[email protected]> at Fri 15 Oct 2021 05:46:55 PM GMT
For this version, the argument must be yum list wazuh-indexer --showduplicates
I was able to check that for version 3.4.3 of yum the --show-duplicates argument was available
I found some more messages in the Ubuntu Bionic and Ubuntu Jammy upgrade, despite these messages the upgrade was done:
10:15:49 15/12/2022 13:15:38 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
10:15:49 15/12/2022 13:15:38 INFO: Verbose logging redirected to /var/log/wazuh-install.log
10:15:49 15/12/2022 13:15:40 DEBUG: Adding the Wazuh repository.
10:15:49 gpg: key 96B3EE5F29111145: "Wazuh.com (Wazuh Signing Key) <[email protected]>" not changed
10:15:49 gpg: Total number processed: 1
10:15:49 gpg: unchanged: 1
10:15:49 deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main
10:15:49 Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic InRelease
10:15:49 Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
10:15:49 Get:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-backports InRelease [83.3 kB]
10:15:49 Hit:4 https://deb.nodesource.com/node_8.x bionic InRelease
10:15:49 Hit:5 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease
10:15:49 Hit:6 http://ppa.launchpad.net/deadsnakes/ppa/ubuntu bionic InRelease
10:15:49 Hit:7 http://security.ubuntu.com/ubuntu bionic-security InRelease
10:15:49 Traceback (most recent call last):
10:15:49 File "/usr/lib/cnf-update-db", line 8, in <module>
10:15:49 from CommandNotFound.db.creator import DbCreator
10:15:49 File "/usr/lib/python3/dist-packages/CommandNotFound/db/creator.py", line 11, in <module>
10:15:49 import apt_pkg
10:15:49 ModuleNotFoundError: No module named 'apt_pkg'
10:15:49 Fetched 172 kB in 1s (294 kB/s)
10:15:49 Reading package lists...
10:15:49 E: Problem executing scripts APT::Update::Post-Invoke-Success 'if /usr/bin/test -w /var/lib/command-not-found/ -a -e /usr/lib/cnf-update-db; then /usr/lib/cnf-update-db > /dev/null; fi'
10:15:49 E: Sub-process returned an error code
10:15:49 15/12/2022 13:15:43 INFO: Wazuh development repository added.
root@ip-172-31-12-227:~# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.4.0"
WAZUH_REVISION="40401"
WAZUH_TYPE="server"
root@ip-172-31-12-227:~# cat /usr/share/wazuh-indexer/VERSION
4.4.0
root@ip-172-31-12-227:~# cat /usr/share/wazuh-dashboard/VERSION
4.4.0
root@ip-172-31-12-227:~# cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.2 LTS"
NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
Errors are also found in the confirmation request to replace files when updating indexer:
10:09:15 Preparing to unpack .../wazuh-indexer_4.4.0-1_amd64.deb ...
10:09:15 Unpacking wazuh-indexer (4.4.0-1) over (4.3.10-1) ...
10:09:15 Setting up wazuh-indexer (4.4.0-1) ...
10:09:15 Installing new version of config file /etc/default/wazuh-indexer ...
10:09:15
10:09:15 Configuration file '/etc/wazuh-indexer/jvm.options'
10:09:15 ==> Modified (by you or by a script) since installation.
10:09:15 ==> Package distributor has shipped an updated version.
10:09:15 What would you like to do about it ? Your options are:
10:09:15 Y or I : install the package maintainer's version
10:09:15 N or O : keep your currently-installed version
10:09:15 D : show the differences between the versions
10:09:15 Z : start a shell to examine the situation
10:09:15 The default action is to keep your current version.
10:09:15 *** jvm.options (Y/I/N/O/D/Z) [default=N] ? dpkg: error processing package wazuh-indexer (--configure):
10:09:15 end of file on stdin at conffile prompt
10:09:15 Errors were encountered while processing:
10:09:15 wazuh-indexer
Update
Investigate errors:
Comment 1
https://github.com/wazuh/wazuh-packages/issues/862#issuecomment-1352119199
Tested command:
yum list wazuh-manager.x86_64 --showduplicates
in CentOS 7 and verified that it returns the same output as when using --show-duplicates
[root@localhost vagrant]# yum list wazuh-manager.x86_64 --showduplicates
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.cica.es
* extras: ftp.cica.es
* updates: ftp.cica.es
Available Packages
wazuh-manager.x86_64 4.0.0-1 wazuh
wazuh-manager.x86_64 4.0.1-1 wazuh
wazuh-manager.x86_64 4.0.2-1 wazuh
wazuh-manager.x86_64 4.0.3-1 wazuh
wazuh-manager.x86_64 4.0.4-1 wazuh
wazuh-manager.x86_64 4.1.0-1 wazuh
wazuh-manager.x86_64 4.1.1-1 wazuh
wazuh-manager.x86_64 4.1.2-1 wazuh
wazuh-manager.x86_64 4.1.3-1 wazuh
wazuh-manager.x86_64 4.1.4-1 wazuh
wazuh-manager.x86_64 4.1.5-1 wazuh
wazuh-manager.x86_64 4.2.0-1 wazuh
wazuh-manager.x86_64 4.2.1-1 wazuh
wazuh-manager.x86_64 4.2.2-1 wazuh
wazuh-manager.x86_64 4.2.3-1 wazuh
wazuh-manager.x86_64 4.2.4-1 wazuh
wazuh-manager.x86_64 4.2.5-1 wazuh
wazuh-manager.x86_64 4.2.6-1 wazuh
wazuh-manager.x86_64 4.2.7-1 wazuh
wazuh-manager.x86_64 4.3.0-1 wazuh
wazuh-manager.x86_64 4.3.1-1 wazuh
wazuh-manager.x86_64 4.3.2-1 wazuh
wazuh-manager.x86_64 4.3.3-1 wazuh
wazuh-manager.x86_64 4.3.4-1 wazuh
wazuh-manager.x86_64 4.3.5-1 wazuh
wazuh-manager.x86_64 4.3.6-1 wazuh
wazuh-manager.x86_64 4.3.7-1 wazuh
wazuh-manager.x86_64 4.3.7-2 wazuh
wazuh-manager.x86_64 4.3.8-1 wazuh
wazuh-manager.x86_64 4.3.9-1 wazuh
wazuh-manager.x86_64 4.3.10-1 wazuh
[root@localhost vagrant]# yum list wazuh-manager.x86_64 --show-duplicates
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.cica.es
* extras: ftp.cica.es
* updates: ftp.cica.es
Available Packages
wazuh-manager.x86_64 4.0.0-1 wazuh
wazuh-manager.x86_64 4.0.1-1 wazuh
wazuh-manager.x86_64 4.0.2-1 wazuh
wazuh-manager.x86_64 4.0.3-1 wazuh
wazuh-manager.x86_64 4.0.4-1 wazuh
wazuh-manager.x86_64 4.1.0-1 wazuh
wazuh-manager.x86_64 4.1.1-1 wazuh
wazuh-manager.x86_64 4.1.2-1 wazuh
wazuh-manager.x86_64 4.1.3-1 wazuh
wazuh-manager.x86_64 4.1.4-1 wazuh
wazuh-manager.x86_64 4.1.5-1 wazuh
wazuh-manager.x86_64 4.2.0-1 wazuh
wazuh-manager.x86_64 4.2.1-1 wazuh
wazuh-manager.x86_64 4.2.2-1 wazuh
wazuh-manager.x86_64 4.2.3-1 wazuh
wazuh-manager.x86_64 4.2.4-1 wazuh
wazuh-manager.x86_64 4.2.5-1 wazuh
wazuh-manager.x86_64 4.2.6-1 wazuh
wazuh-manager.x86_64 4.2.7-1 wazuh
wazuh-manager.x86_64 4.3.0-1 wazuh
wazuh-manager.x86_64 4.3.1-1 wazuh
wazuh-manager.x86_64 4.3.2-1 wazuh
wazuh-manager.x86_64 4.3.3-1 wazuh
wazuh-manager.x86_64 4.3.4-1 wazuh
wazuh-manager.x86_64 4.3.5-1 wazuh
wazuh-manager.x86_64 4.3.6-1 wazuh
wazuh-manager.x86_64 4.3.7-1 wazuh
wazuh-manager.x86_64 4.3.7-2 wazuh
wazuh-manager.x86_64 4.3.8-1 wazuh
wazuh-manager.x86_64 4.3.9-1 wazuh
wazuh-manager.x86_64 4.3.10-1 wazuh
Tested the same command in RHEL 8 and RHEL 9.
Comment 2
https://github.com/wazuh/wazuh-packages/issues/862#issuecomment-1353084411
This is an error coming from the command apt update it is caused by an error in the Python 3 libraries used by APT and it is unrelated to the script, to solve it reinstall the python3-apt package.
Sources: https://askubuntu.com/questions/480908/problem-with-update-manager-no-module-named-apt-pkg-in-ubuntu-13-10-having-i https://unix.stackexchange.com/questions/588066/modulenotfounderror-no-module-named-apt-pkg-appears-in-various-commands
Comment 3
https://github.com/wazuh/wazuh-packages/issues/862#issuecomment-1353093357
Currently investigating but it seems that it is more related to the wazuh-indexer package so it will probably need to be addressed in a different issue.
Update
Fix error in comment 1 and test new wazuh-install.sh.
Force packages to maintain old jvm.options to solve comment 3.
Update
Disable shard allocation before upgrading Wazuh indexer.
curl -X PUT "https://<WAZUH_INDEXER_IP>:9200/_cluster/settings" -u <username>:<password> -k -H 'Content-Type: application/json' -d'
{
"persistent": {
"cluster.routing.allocation.enable": "primaries"
}
}
'
Start testing changes.
Update
We added a second parameter to the -up option, now the user needs to introduce the password for the admin user of the indexer to upgrade it.
commit: https://github.com/wazuh/wazuh-packages/pull/1771/commits/f68ffc13c8015bfe3e83508b424189797fa2cbdc
Test changes
[root@amazon2 vagrant]# ./wazuh-install-4.3.10.sh -a
23/01/2023 16:45:00 INFO: Starting Wazuh installation assistant. Wazuh version: 4.3.10
23/01/2023 16:45:00 INFO: Verbose logging redirected to /var/log/wazuh-install.log
23/01/2023 16:45:03 INFO: Wazuh repository added.
23/01/2023 16:45:03 INFO: --- Configuration files ---
23/01/2023 16:45:03 INFO: Generating configuration files.
23/01/2023 16:45:03 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
23/01/2023 16:45:04 INFO: --- Wazuh indexer ---
23/01/2023 16:45:04 INFO: Starting Wazuh indexer installation.
23/01/2023 16:45:49 INFO: Wazuh indexer installation finished.
23/01/2023 16:45:49 INFO: Wazuh indexer post-install configuration finished.
23/01/2023 16:45:49 INFO: Starting service wazuh-indexer.
23/01/2023 16:46:01 INFO: wazuh-indexer service started.
23/01/2023 16:46:01 INFO: Initializing Wazuh indexer cluster security settings.
23/01/2023 16:46:06 INFO: Wazuh indexer cluster initialized.
23/01/2023 16:46:06 INFO: --- Wazuh server ---
23/01/2023 16:46:06 INFO: Starting the Wazuh manager installation.
23/01/2023 16:46:23 INFO: Wazuh manager installation finished.
23/01/2023 16:46:23 INFO: Starting service wazuh-manager.
23/01/2023 16:46:37 INFO: wazuh-manager service started.
23/01/2023 16:46:37 INFO: Starting Filebeat installation.
23/01/2023 16:46:48 INFO: Filebeat installation finished.
23/01/2023 16:46:49 INFO: Filebeat post-install configuration finished.
23/01/2023 16:46:49 INFO: Starting service filebeat.
23/01/2023 16:46:49 INFO: filebeat service started.
23/01/2023 16:46:49 INFO: --- Wazuh dashboard ---
23/01/2023 16:46:49 INFO: Starting Wazuh dashboard installation.
23/01/2023 16:47:39 INFO: Wazuh dashboard installation finished.
23/01/2023 16:47:39 INFO: Wazuh dashboard post-install configuration finished.
23/01/2023 16:47:39 INFO: Starting service wazuh-dashboard.
23/01/2023 16:47:40 INFO: wazuh-dashboard service started.
23/01/2023 16:48:05 INFO: Initializing Wazuh dashboard web application.
23/01/2023 16:48:07 INFO: Wazuh dashboard web application initialized.
23/01/2023 16:48:07 INFO: --- Summary ---
23/01/2023 16:48:07 INFO: You can access the web interface https://<wazuh-dashboard-ip>
User: admin
Password: ?KkMV+jKD*2Hpy2CO0Ox.dtv8lJREi.b
23/01/2023 16:48:07 INFO: Installation finished.
[root@amazon2 vagrant]# ./wazuh-install.sh -up ?KkMV+jKD*2Hpy2CO0Ox.dtv8lJREi.b
23/01/2023 16:51:48 INFO: Starting Wazuh installation assistant. Wazuh version: 4.4.0
23/01/2023 16:51:48 INFO: Verbose logging redirected to /var/log/wazuh-install.log
23/01/2023 16:51:50 INFO: Wazuh development repository added.
23/01/2023 16:51:50 INFO: --- Upgrading existing Wazuh installation ---
23/01/2023 16:51:58 INFO: Upgrading Wazuh Manager to 4.4.0
23/01/2023 16:52:51 INFO: Starting service wazuh-manager.
23/01/2023 16:52:51 INFO: wazuh-manager service started.
23/01/2023 16:52:51 WARNING: Filebeat is already installed and the version is equal or greater than 7.10.2.
23/01/2023 16:52:51 INFO: Upgrading Filebeat module to 0.2
23/01/2023 16:52:52 INFO: Upgrading Wazuh Indexer to 4.4.0
23/01/2023 16:52:52 INFO: Disabling shard allocation.
23/01/2023 16:52:52 INFO: Shard allocation disabled.
23/01/2023 16:54:08 INFO: Enabling shard allocation.
23/01/2023 16:54:08 INFO: Shard allocation enabled.
23/01/2023 16:54:08 INFO: Starting service wazuh-indexer.
23/01/2023 16:54:08 INFO: wazuh-indexer service started.
23/01/2023 16:54:08 INFO: Upgrading Wazuh Dashboard to 4.4.0
23/01/2023 16:55:21 INFO: Starting service wazuh-dashboard.
23/01/2023 16:55:21 INFO: wazuh-dashboard service started.
Update
After discussing with the team we have decided to add a check before upgrading any component.
Indexer
- Check if the cluster is green
- If it is yellow give a warning
Server
- Check
filebeat test outputresult - Check if API is responding
- Check cluster health
Dashboard
- Check if Dashboard is responding
- Check the connexion to the indexer cluster
This will be run before and after the upgrade, if the checks fail before upgrading we will stop the script with an error.
To do this the script will need credentials that will be provided in a file with the same format as the one used for wazuh-passwords-tools.sh.
Indexer
- Admin password.
Server
- API admin password.
Dashboard
- Admin password.
If credentials are incorrect we will stop the script with an error before updating.
Update
Add a function to get the Wazuh API password for a specific user.
Continue testing.
Update
Test PoC to simulate a real environment for testing generating fake indexes in wazuh indexer
Update
Merge the latest changes and apply necessary modifications
Test resulting wazuh-install script.
Update
Work on the testing environment:
- Use OVA
- Generate alerts and get an index
- Test if we can copy that index to generate a year of alerts
The next step would be to get the index for a day of alerts from the demo environment and use it to simulate a real environment.
Update
Continue working on the test environment design:
Copy index:
POST /wazuh-alerts-4.x-2023.3.9/_clone/wazuh-alerts-4.x-2023.3.9-cloned
Set index to read-only:
PUT /wazuh-alerts-4.x-2023.3.9/_settings
{
"index.blocks.read_only_allow_delete": true
}
Reindex changing the date:
POST _reindex
{
"source": {
"index": "wazuh-alerts-4.x-2023.3.9"
},
"dest": {
"index": "wazuh-alerts-4.x-2023.3.8"
},
"script": {
"source": "ctx._source['@timestamp'] = OffsetDateTime.parse(ctx._source['@timestamp']).minusDays(1).toString()"
}
}
This should result in a new index being created with a different timestamp.