Below should work on bare metal and inside ES docker installation. The snapshots are done using the ES API. Raw system file backups won't work. Test below was done via docker on Debian 11 provisioned by Vagrant.
Create the repo path:
[root@97baaa7e0134 elasticsearch]# cat config/elasticsearch.yml cluster.name: "docker-cluster" network.host: 0.0.0.0 path.repo: /usr/share/elasticsearch/data/ # add this path
Restart ES container.
curl -X PUT "localhost:9200/_snapshot/my_repository?pretty" -H 'Content-Type: application/json' -d' { "type": "fs", "settings": { "location": "/usr/share/elasticsearch/data/backups" } } '
Above paths need to be created and owned by 'elasticsearch' user.
curl -X PUT "localhost:9200/_snapshot/my_repository/my_snapshot?wait_for_completion=true&pretty"
curl -X GET "localhost:9200/_snapshot/my_repository/_all?pretty"
docker cp root-elasticsearch-1:/usr/share/elasticsearch/data/backups /vagrant/
You should also copy the configuration folder above (where path.repo is defined among other things)
docker cp root-elasticsearch-1:/usr/share/elasticsearch/config /vagrant/
Copy the files from snapshot repository back into docker container
docker cp /vagrant/backups root-elasticsearch-1:/usr/share/elasticsearch/data/
Register the repository again as above
Before restoring you might need to delete the indexes if they already exist. This is especially the case when moving to new cluster with default docker installation and default indexes.
To list the indexes do
curl -X GET "localhost:9200/_all?pretty"
Stop the graylog docker then you can delete the indices with
curl -X DELETE "localhost:9200/graylog_0,gl-system-events_0,gl-events_0?pretty"
This deletes the 3 default indices.
List the snapshot and chose the one you want to restore. E.g. restoring “my_snapshot2”
curl -X POST "localhost:9200/_snapshot/my_repository/my_snapshot2/_restore?wait_for_completion=true&pretty"