alerts.json and alerts.log are 30+ Gbs
1,332 views
Skip to first unread message
Gary Woodard
Jun 22, 2022, 4:51:21 PM6/22/22
to Wazuh mailing list
Why are these logs growing? Shouldn't the information in the logs be offloaded to kibana?
Carlos Dams
Jun 22, 2022, 6:03:44 PM6/22/22
to Wazuh mailing list
Hi Gary,
You can create a cron job to automatically delete old alerts according to your data retention policy, considering that the same alerts are also stored in the Wazuh-indexer/Elasticsearch indexes. You have more information about the Wazuh indexes management in the Index backup management Engineering and Wazuh index management blog posts.
Thanks for using Wazuh!
The alerts.log and alerts.json are rotated and compressed daily, could you execute the command du -h /var/ossec/logs/alerts and share the output here, please.
most likely the files that are taking more space are the compressed ones.
More info here: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#alert
Also, what is the log-alert-level you have set in /var/ossec/etc/ossec.conf? the default value is 3, if you have a lower number this might be causing the log files to grow faster.
You can create a cron job to automatically delete old alerts according to your data retention policy, considering that the same alerts are also stored in the Wazuh-indexer/Elasticsearch indexes. You have more information about the Wazuh indexes management in the Index backup management Engineering and Wazuh index management blog posts.
I hope this information helps,
Please, let me know
Carlos Dams
Jun 22, 2022, 7:11:42 PM6/22/22
to Wazuh mailing list
Also, run the command
ls -lrth /var/ossec/logs/alerts to check the file size of alerts.log and alerts.json individually.
Thanks
Gary Woodard
Jun 22, 2022, 8:48:27 PM6/22/22
to Carlos Dams, Wazuh mailing list
They’re both 30+Gb each
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/_DMex-0nQps/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5344bb5e-6d51-49d0-9252-6d8bdb0670d9n%40googlegroups.com.
Carlos Dams
Jun 24, 2022, 8:55:59 PM6/24/22
to Wazuh mailing list
Hi Gary,
alerts.log and alerts.json rotate daily and there is no parameter yet to change that.
Do these logs get to 30 GB each day? or is it that the logs are not rotating?
Gary Woodard
Jul 15, 2022, 4:51:28 PM7/15/22
to Wazuh mailing list
Added rotation parameter. Log files still growing.
![wazuh - large log files.PNG]()
Carlos Dams
Jul 18, 2022, 3:20:31 PM7/18/22
to Wazuh mailing list
Hi Gary,
Thanks for keep posting the replies here in Google Groups,
Thanks for keep posting the replies here in Google Groups,
ok, you tried the previous recommendation of rotate_interval and it did not work as expected, right? - What if you use rotate_interval and assign 12 hours for example.
Did you add the parameter inside a <global></global> section in ossec.conf? Would you share here the /var/ossec/etc/ossec.conf for me to take a look?
Also, /var/ossec/logs/ossec.log might be helpful.
Just to make sure it is still the same problem (let me know if it is correct):
- the /var/ossec/logs/alerts.log and /var/ossec/logs/alerts.json are not rotating, so there are no files related to these under /var/ossec/logs/alerts/2022/<month>
- /var/ossec/logs/alerts.{logj|son} just keep growing in size
- Your Wazuh Manager version is 4.3.4 (you told me the latest version on June 28th, release dates)
Do you know if all other components are working correctly? Specially Filebeat, Wazuh-Indexer.
Also, I think you tried to attach a picture but I cannot see it, please, would you try attaching it again?
Thanks,
Reply all
Reply to author
Forward
0 new messages