Delete log old than 2 months
6,631 views
Skip to first unread message
Ayoub MM
Mar 14, 2023, 3:40:40 AM3/14/23
to Wazuh mailing list
Hello All,
First i would like to thank you about responding to my previous question i apprecaite your help and support.
Please i have an issue my wazuh storage is full of log i try to keep just log retention of 2 months i try to delete the logs and alertes older than 2 months with the 2 commands :
find /var/ossec/logs/alerts/ -name "*.gz" -type f -mtime +60 -exec rm -f {} \;
find /var/ossec/logs/archives/ -name "*.gz" -type f -mtime +60 -exec rm -f {} \;
but when i verify in discover tap i found the log older that 4 months still exist
Please there other method or command to delete logs older than 2 months and keep just the retention of 2 months :
Thanks in advance for your support and help:
Regards
elw...@wazuh.com
Mar 14, 2023, 5:38:41 AM3/14/23
to Wazuh mailing list
Hello Ayoub,
The logs are saved in both the Wazuh manager ( /var/ossec/logs/alerts/*) and the Wazuh indexer (in the indices wazuh-alerts*), and the latter is used by the Wazuh dashboard to show the alerts in the discover. You can review an illustration of the the Wazuh architecture here https://documentation.wazuh.com/current/getting-started/architecture.html#architecture.
If you want to delete the old indices, you should navigate to the dev tools within the WUI, then run DELETE wazuh-alerts-4.x-2023.01* (that would delete all data of January,2023 https://groups.google.com/g/wazuh/c/tHbPURuw9E8/m/pHDRhmslBwAJ) also you can automate the process by using index management policies similar to what is described here https://wazuh.com/blog/wazuh-index-management/.
I hope this helps.
Wali
The logs are saved in both the Wazuh manager ( /var/ossec/logs/alerts/*) and the Wazuh indexer (in the indices wazuh-alerts*), and the latter is used by the Wazuh dashboard to show the alerts in the discover. You can review an illustration of the the Wazuh architecture here https://documentation.wazuh.com/current/getting-started/architecture.html#architecture.
If you want to delete the old indices, you should navigate to the dev tools within the WUI, then run DELETE wazuh-alerts-4.x-2023.01* (that would delete all data of January,2023 https://groups.google.com/g/wazuh/c/tHbPURuw9E8/m/pHDRhmslBwAJ) also you can automate the process by using index management policies similar to what is described here https://wazuh.com/blog/wazuh-index-management/.
I hope this helps.
Wali
Ayoub MM
Mar 14, 2023, 8:35:25 AM3/14/23
to elw...@wazuh.com, Wazuh mailing list
Hello,
Thank you for your help,
This solution of using the dev tool, there IS a risk that somthing goes wrong ? Do i need to take a Snapshot before this ?
Thanks in advance,
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1505992f-0e53-45fa-8856-9d039ce7ef8bn%40googlegroups.com.
Ayoub MM
Mar 14, 2023, 8:41:37 AM3/14/23
to elw...@wazuh.com, Wazuh mailing list
And if you Please Can provide me with thé screen of how i should put thé command exactly in dev tool it would be great,
Thanks you so much .
elw...@wazuh.com
Mar 15, 2023, 9:51:47 AM3/15/23
to Wazuh mailing list
Hello Ayoub,
Using that API call, you delete the indices of that month, you can change the date or specify an exact date to delete:
.png?part=0.1&view=1)
I hope it helps.
Regards,
Wali
Using that API call, you delete the indices of that month, you can change the date or specify an exact date to delete:
I hope it helps.
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages