wazuh-indexer

573 views
Skip to first unread message

henry valz

unread,
Jun 13, 2023, 10:29:51 AM6/13/23
to Wazuh mailing list
Hi,
In which path does the wazuh-indexer store its logs? in an all-in-one server installation

atte.:
Henry

Henadence Anyam

unread,
Jun 13, 2023, 10:39:06 AM6/13/23
to Wazuh mailing list
Hello Henry,

The default installation of Wazuh stores the indexer logs in the /var/log/wazuh-indexer/ directory.

Hope you find this information helpful.

henry valz

unread,
Jun 13, 2023, 11:14:08 AM6/13/23
to Henadence Anyam, Wazuh mailing list
Hello Henadence,
Is this where the indices are stored? , I can move that path and mount it on another hard drive, as well as the LOGs redirection process, because my server has run out of space

atte.:
Henry

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/04a497b1-235e-4cfd-909a-a263eb119ca8n%40googlegroups.com.

Henadence Anyam

unread,
Jun 14, 2023, 3:00:10 AM6/14/23
to Wazuh mailing list
Hello Henry,

The indices are stored in the /var/lib/wazuh-indexer directory and might include other information sent to the indexer.

To change the logs and data storage path for the wazuh-indexer, you can modify this in the /etc/wazuh-indexer/opensearch.yml file and move the current content to the new path with proper ownership and access.
You need to modify these two lines in the /etc/wazuh-indexer/opensearch.yml file to point to your new location:
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer

Then you need to move the current data and log directories to the new location and provide proper ownership there:
# mv /var/lib/wazuh-indexer/ /new/data/directory/
# mv /var/log/wazuh-indexer/ /new/log/directory/
# chown wazuh-indexer:wazuh-indexer -R /new/data/directory/
# chown wazuh-indexer:wazuh-indexer -R /new/log/directory/

Then, you need to restart the wazuh-indexer service to effect the changes.

You can also manage the indices by following the Wazuh Index Management blog at the Opendistro ISM section, it is not exactly the same as OpenSearch (Wazuh-indexer) but it is similar.

Hope you find this information helpful.

henry valz

unread,
Jun 14, 2023, 12:26:02 PM6/14/23
to Wazuh mailing list
Tank Henadence,

and in a distributed installation, each component on each independent server, what is the path where these indexes are stored? since in a distributed installation it is separated by components wazuh-manaher, elasticsearch, filebeat, kibana. what would be the route that would be equivalent to the wazuh.indexer?

atte.:
Henry

Henadence Anyam

unread,
Jun 15, 2023, 3:27:41 AM6/15/23
to Wazuh mailing list
Hello Henry,

Whether it is a single-node or muti-node setup, the default installation path remains the same.

For elasticsearch:
- The logs are stored in /var/log/elasticsearch/
- The indices are stored in  /var/lib/elasticsearch/
- The config file is /etc/elasticsearch/elasticsearch.yml

The migrating to the Wazuh indexer guide might come in handy.

Hope that helps.
Reply all
Reply to author
Forward
0 new messages