Wazuh Elasticstack Database nodes

535 views
Skip to first unread message

Erik Vetters

unread,
Jul 11, 2018, 2:52:03 AM7/11/18
to Wazuh mailing list
Hi Wazuh Group,

just a quick question.

Can someone please point me to some documentation on howto maintain elastic stack database size, So deleting entries older than x days


Because I now have the loglines in /var/ossec/logs and of course in the standard elastic stack path /var/lib/elasticsearch/nodes ... And this
get's quit big.

Thx for any tips.


Many Greetings
Erik











Erik Vetters

unread,
Jul 12, 2018, 6:01:05 AM7/12/18
to Wazuh mailing list
Hi,

ok ... I have found someting in old threads for deleting agent data,

Can someone point me to the right direction to delete entries in the specific timeframe for all agents/events

Many Greetings
Erik



POST wazuh-alerts-*/_delete_by_query
{
  "query": {
    "match": {
    "agent.name": "your agent name"
    }
  }
}


jesus.g...@wazuh.com

unread,
Jul 12, 2018, 7:06:32 AM7/12/18
to Wazuh mailing list
Hi Erik,

Don't know if the next solution matches your goal but since Wazuh generates daily indices you 
can delete specific index for specific days. 

How to see your indices list:

# curl elastic_ip:9200/_cat/indices/wazuh-alerts*

// Example output
yellow open wazuh-alerts-3.x-2018.07.11 HMRNDMv_TEW7_bkXu5gWMA 5 1 139908 0  20.5mb  20.5mb
yellow open wazuh-alerts-3.x-2018.07.12 f6yjp6AjRkKoRIAkk63NAQ 5 1 938926 0 482.1mb 482.1mb

As you can see, a Wazuh index name is composed using the next pattern:

wazuh-alerts-3.x-YYYY.MM.DD

This means you can delete specific days as I said. 

How to delete specific day:

curl -XDELETE elastic_ip:9200/wazuh-alerts-3.x-2018.07.12

How to delete two specific days:

curl -XDELETE elastic_ip:9200/wazuh-alerts-3.x-2018.07.11,wazuh-alerts-3.x-2018.07.11

How to delete all July:

curl -XDELETE elastic_ip:9200/wazuh-alerts-3.x-2018.07.11,wazuh-alerts-3.x-2018.07*

Note: since you can use wildcard (*), delete a mont is pretty easy as you can see in the above curl command.

If the above commands don't match your desired goal because you want to delete specific documents from specific day, let us know
and we can drive you in the right way.

Regards,
Jesús

Erik Vetters

unread,
Jul 12, 2018, 7:26:21 AM7/12/18
to Wazuh mailing list
Hi Jesús,

that is perfect ... an is more than enough ...

Many Greetings
Erik

jesus.g...@wazuh.com

unread,
Jul 12, 2018, 7:28:45 AM7/12/18
to Wazuh mailing list
Ok Erik, you are welcome!
Reply all
Reply to author
Forward
0 new messages