/var/ossec/queue/db cleanup?
2,398 views
Skip to first unread message
Alfred Abrajano
May 8, 2023, 12:02:58 PM5/8/23
to wa...@googlegroups.com
Hello Everyone,
Good day!
May I please know what the best practices are to clean up this directory to reclaim disk space?
May I please know what the best practices are to clean up this directory to reclaim disk space?
It's consuming 111GB as of now, and I practically do not need any logs/events/etc. that are older than 30 days.
[wazuh0001 ~]$ sudo sh -c 'du -sh /var/ossec/queue/db'
111G /var/ossec/queue/db
111G /var/ossec/queue/db
Any suggestions?
Thank you,
Alfred Abrajano
Guido Iván García
May 8, 2023, 12:37:55 PM5/8/23
to Wazuh mailing list
Hi! Thanks for posting in the community!!
The /var/ossec/queue/db/ directory contains databases with information for different agents. It can use too much space because there are some dangling agents which are not connected anymore but their databases are left behind.
We recommend removing those old agents if that’s the case. You can do this using the API Console:
On your dashboard, click on Wazuh drop-down menu, select Tools, and the API Console.
Enter the following request and execute:
DELETE /agents?status=disconnected,never_connected&agents_list=all&older_than=30d
This request will delete all the agents which have been disconnected or never connected for more than 30 days and their databases also. You can change the age if needed.
I hope this helps. Let me know if you have any specific questions or if there is anything else I can do to help.
Regards,
Guido
The /var/ossec/queue/db/ directory contains databases with information for different agents. It can use too much space because there are some dangling agents which are not connected anymore but their databases are left behind.
We recommend removing those old agents if that’s the case. You can do this using the API Console:
On your dashboard, click on Wazuh drop-down menu, select Tools, and the API Console.
Enter the following request and execute:
DELETE /agents?status=disconnected,never_connected&agents_list=all&older_than=30d
This request will delete all the agents which have been disconnected or never connected for more than 30 days and their databases also. You can change the age if needed.
I hope this helps. Let me know if you have any specific questions or if there is anything else I can do to help.
Regards,
Guido
Alfred Abrajano
May 9, 2023, 6:50:09 AM5/9/23
to Wazuh mailing list
Hello Guido,
Thank you!
This was also actually what I am doing but it looks like it is not enough to reclaim disk space.
DELETE /agents?status=disconnected,never_connected&agents_list=all&older_than=30d
Is there any way to significantly reduce the db size of active agents?
Regards,
Alfred Abrajano
Guido Iván García
May 9, 2023, 9:28:07 AM5/9/23
to Wazuh mailing list
Hi Alfred!
May I know how many agents you have, and what is enabled for each agent? If there are a lot of active agents with many enabled features, they can take up a considerable amount of space.
Additionally, you can try running the "du -hs * | sort -rh | head -7" command to check the disk usage and see if there are any other areas that are taking up significant space.
Lastly, may I also ask what version of Wazuh you are currently using?
Regards,
Guido
May I know how many agents you have, and what is enabled for each agent? If there are a lot of active agents with many enabled features, they can take up a considerable amount of space.
Additionally, you can try running the "du -hs * | sort -rh | head -7" command to check the disk usage and see if there are any other areas that are taking up significant space.
Lastly, may I also ask what version of Wazuh you are currently using?
Regards,
Guido
Alfred Abrajano
May 10, 2023, 5:42:46 AM5/10/23
to Guido Iván García, Wazuh mailing list
Hello Guido,
Thank you for looking into this.
I have roughly 3,500 agents and the features enabled are FIM and rootcheck and sca I guess, we're not storing Windows events.
Regards,
Alfred Abrajano
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/lPkkd-bUPFg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/94025689-e83a-4d77-98e7-07d1b01d6455n%40googlegroups.com.
Alfred Abrajano
May 10, 2023, 5:45:44 AM5/10/23
to Guido Iván García, Wazuh mailing list
Hello Guido,
I forgot to mention that I am using Wazuh 4.4.1 on the manager and agents.
Regards,
Alfred Abrajano
Reply all
Reply to author
Forward
0 new messages