How to delete Wazuh old data (alerts, index and so on)?
6,075 views
Skip to first unread message
mauro....@cmcc.it
Jun 10, 2023, 1:20:13 PM6/10/23
to Wazuh mailing list
Dear Users,
my Wazuh testing period is ended, so I would like to reset/delete old data saved in the UI, alerts, index and so on.
Is there a way to reset Wazuh without disrupting current configuration (avoiding to install it from scratch)?
Thank you in advance,
Mauro
Adebayo Kalejaiye
Jun 11, 2023, 4:12:41 AM6/11/23
to Wazuh mailing list
Hello Mauro,
// Example output
yellow open wazuh-alerts-3.x-2018.07.11 HMRNDMv_TEW7_bkXu5gWMA 5 1 139908 0 20.5mb 20.5mb
yellow open wazuh-alerts-3.x-2018.07.12 f6yjp6AjRkKoRIAkk63NAQ 5 1 938926 0 482.1mb 482.1mb
If you want to delete old data saved in the UI. Please see the guide below:
How to see your indices list:
# curl -u <username>:<password> https://<indexer IP>:9200/_cat/indices/wazuh-alerts* -k
// Example output
yellow open wazuh-alerts-3.x-2018.07.11 HMRNDMv_TEW7_bkXu5gWMA 5 1 139908 0 20.5mb 20.5mb
yellow open wazuh-alerts-3.x-2018.07.12 f6yjp6AjRkKoRIAkk63NAQ 5 1 938926 0 482.1mb 482.1mb
As you can see, a Wazuh index name is composed using the next pattern:
wazuh-alerts-3.x-YYYY.MM.DD
This means you can delete specific days as I said.
How to delete a specific day:
curl -u <username>:<password> -XDELETE https://<indexer IP>:9200/wazuh-alerts-3.x-2018.07.12 -k
How to delete two specific days:
curl -u <username>:<password> -XDELETE https://<indexer IP>:9200/wazuh-alerts-3.x-2018.07.11,wazuh-alerts-3.x-2018.07.11 -k
How to delete all July:
curl -u <username>:<password> -XDELETE https://<indexer IP>:9200/wazuh-alerts-3.x-2018.07.11,wazuh-alerts-3.x-2018.07* -k
Note: since you can use a wildcard (*), deleting a month is easy as you can see in the above curl command.
It is also advisable to setup index management for proper log management using the guide Here
I hope this helps
Mauro Tridici
Jun 11, 2023, 6:10:30 AM6/11/23
to Adebayo Kalejaiye, Wazuh mailing list
Hello Adebayo,
many thanks for your very detailed answer.
I really appreciated it.
During the next hours I will try to apply your instructions.
Last question: are these instructions enough to delete every database references to the alerts I’m going to remove?
Have a great day.
Mauro
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Jo8ldO6Cwo4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f4d085a4-68f5-4555-a597-a48b092cf060n%40googlegroups.com.
Adebayo Kalejaiye
Jun 14, 2023, 4:58:56 AM6/14/23
to Wazuh mailing list
Hello Mauro,
The information provided is sufficient to handle the use case
Best Regards,
Adebayo
Reply all
Reply to author
Forward
0 new messages