Delete /archives and /alerts folder

[German DiCasas]

Hi team,

I have a question for you and it is related to knowing when I can delete the logs within the var/ossec/logs/archives and var/ossec/logs/alerts folders. the same with the alerts.json, alert.log, archives.json and archives.log files. I understand that once these are indexed they are no longer necessary, is that correct? If you can enlighten me on this matter

I have seen some queries on google goups but they only set the crontab to a year or less to delete them. The issue is that I still can't find a way to first check if it was indexed before deletion. The main problem is with the disk. I made a policy to manage the indexes but I need to delete the other one. (https://wazuh.com/blog/wazuh-index-management/)

Thanks

German

[Md. Nazmur Sakib]

Hi German DiCasas,

Good Day!

You can check if you have indices of all of your alerts from Index Management > Indices

If you have not created indices for the archive log following this.

The indices for the archive log will not be present in the Wazuh indexer.

In this case, after deleting them from the /var/ossec/logs/archives/Year/Mon folder, there will be no other way to recover them.

If you delete any indices of alert or archive log from the ossec.log. You can restore them from /var/ossec/logs/archives/Year/Mon, /var/ossec/logs/alerts/Year/Mon log.

You can also use these log files to restore logs from this server to a new one while migrating your Wazuh server.

If you still choose to delete those logs from /var/ossec/logs/** folders but you want to restore old logs when needed, I would suggest keeping a backup of logs at the indices level using the snapshot option of Wazuh indexer(OpenSearch). This will help you to keep a copy of your old logs indices in another place and will give you the flexibility to even delete old indices to free up space if needed.

I hope this helps. Let me know if you need any further information.

[German DiCasas]

Nazmur, 

Thanks, I can see now the difference and solution for my issue using snapshots. i will read carefully that document. 

So, Wazuh indexer only for alerts, monitoring and statistics. How often are these indices created? In what part of wazuh can I indicate the time of each index? That is, for example, I have daily indexes for alerts like wazuh-alerts-4.x-2024.02.14 and weekly indexes for monitoring and statistics like wazuh-monitoring-2024.12w.Knowing that, I can make a crontab to delete them after indexing (/logs/archives and /logs/alerts) and everything would still work correctly? 

All this is beacause wazuh indicates 200GB disk storage for 50-100 agents (https://documentation.wazuh.com/current/quickstart.html#requirements) but I have a lot more space used. Only over /logs/archives and /logs/alerts aprox 450GB.. The document say that 200GB-90days is for indexed alert data but not for all the other space needed

[Md. Nazmur Sakib]

Hi German DiCasas, 

Sorry for the delay. I was on my holiday.

First, you need to understand that logs are stored in two levels.

On Wazuh- manager level : 

On /logs/archives and /logs/alerts folders.

By default these log files are rotated per day. That means for a single day there will be one single alert and archive log file for each day (https://github.com/wazuh/wazuh/blob/v4.4.0/src/client-agent/rotate_log.c) and automatically an individual directory is created for each month and year where the date-wise logs are saved in individual .json and .log files per day (Format /var/ossec/logs/alerts/<year>/<month>/<day>.json|log ).

The internal process of the rotation is similar to the one here https://github.com/wazuh/wazuh/blob/v4.4.0/src/client-agent/rotate_log.c.

You can use crontab to delete those files based on week, month, or year.

On Wazuh- indexer level :

From the alerts log, Wazuh creates indices to map the index values to visualize them on the Dashboard and store those indices as well. You can automate the deletion of those indices of old logs following this document 

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html

Let me know if you need any further information.

On Wednesday, March 27, 2024 at 3:51:03 PM UTC+6 Md. Nazmur Sakib wrote:

Hi German DiCasas, Sorry for the delay. I was on my holiday. First, you need to understand that logs are stored in two levels.

On Wazuh- manager level : 

On /logs/archives and /logs/alerts folders.

By default these log files are rotated per day. That means for a single day there will be one single alert and archive log file for each day (https://github.com/wazuh/wazuh/blob/v4.4.0/src/client-agent/rotate_log.c) and automatically an individual directory is created for each month and year where the date-wise logs are saved in individual .json and .log files per day (Format /var/ossec/logs/alerts/<year>/<month>/<day>.json|log ).

The internal process of the rotation is similar to the one here https://github.com/wazuh/wazuh/blob/v4.4.0/src/client-agent/rotate_log.c.

You can use crontab to delete those files based on week, month, or year.

On Wazuh- indexer level :

From the alerts log, Wazuh creates indices to map the index values to visualize them on the Dashboard and store those indices as well. You can automate the deletion of those indices of old logs following this document 

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html

Let me know if you need any further information.

[German DiCasas]

Nazmur,

Thanks for the reply. I understand now. Alert are daily so I can delete them after 24hs.. What about monitoring and statistics? Also where can I change that frequency or I cant?

Also, the related to requirements, the storage is only for index files by default?  (https://documentation.wazuh.com/current/quickstart.html#requirements) I mean wazuh indicates 200GB disk storage for 50-100 agents, 200GB are estimated on only index files by default, correct?  I know that depend of eps. Is correct?

Thanks Nazmur

El mié, 27 mar 2024 a las 6:51, 'Md. Nazmur Sakib' via Wazuh | Mailing List (<wa...@googlegroups.com>) escribió:

Hi German DiCasas, Sorry for the delay. I was on my holiday. First, you need to understand that logs are stored in two levels.

On Wazuh- manager level : 

On /logs/archives and /logs/alerts folders.

By default these log files are rotated per day. That means for a single day there will be one single alert and archive log file for each day (https://github.com/wazuh/wazuh/blob/v4.4.0/src/client-agent/rotate_log.c) and automatically an individual directory is created for each month and year where the date-wise logs are saved in individual .json and .log files per day (Format /var/ossec/logs/alerts/<year>/<month>/<day>.json|log ).

The internal process of the rotation is similar to the one here https://github.com/wazuh/wazuh/blob/v4.4.0/src/client-agent/rotate_log.c.

You can use crontab to delete those files based on week, month, or year.

On Wazuh- indexer level :

From the alerts log, Wazuh creates indices to map the index values to visualize them on the Dashboard and store those indices as well. You can automate the deletion of those indices of old logs following this document 

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html

Let me know if you need any further information.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/PiqDIS9WdNI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7c2fbd8e-60f3-4e27-8fe1-7a3df35a9122n%40googlegroups.com.

[Md. Nazmur Sakib]

If you look at the indices of monitoring and statistics those create one index for a week and occupy very little space. These indices should not impact that much to your storage.

You can further delete the old monitoring and statistics logs from the Indices tab by using the Action on the top.

By Changing the frequency did you mean the rollover of indices, You can manage rollover by writing index state management policy.

Ref:https://opensearch.org/docs/latest/im-plugin/ism/policies#rollover

You are correct about the requirement. The calculation is done based on the storage only for index files.

I hope this answers your questions.

[Md. Nazmur Sakib]

Hi German DiCasas,

Let me know if you need any further information regarding this.