req wazuh logs
37 views
Skip to first unread message
Monesh
May 27, 2026, 8:51:37 AM (11 days ago) May 27
to Wazuh | Mailing List
hello,
i want to perform log retention and log rotation but i don't know how to proceed with the proper configuration.
lucas....@wazuh.com
May 27, 2026, 9:20:06 AM (11 days ago) May 27
to Wazuh | Mailing List
Hello, I hope you're well.
There are two separate aspects to cover here:
1. Log rotation (Wazuh Manager — filesystem logs)
Wazuh handles log rotation automatically. Log files are compressed daily and signed using MD5, SHA1, and SHA256 hashing algorithms. Rotated files are organized under /var/ossec/logs/ in year/month subdirectories.
To control how long rotated logs are kept, set monitord.keep_log_days in /var/ossec/etc/local_internal_options.conf:
```
monitord.keep_log_days=90
```
The default value is 31 days.
https://documentation.wazuh.com/current/user-manual/manager/event-logging.html
2. Log retention (Wazuh Indexer — alert indices)
You can implement lifecycle policies for your data using Index State Management (ISM). ISM triggers index operations automatically based on index age, size, and document count.
To configure a retention policy, go to Wazuh Dashboard → ☰ → Indexer management → Index Management → State management policies → Create policy, and define a deletion transition using Minimum Index Age (e.g., 90d).
https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html
Let us know if you have any questions!
There are two separate aspects to cover here:
1. Log rotation (Wazuh Manager — filesystem logs)
Wazuh handles log rotation automatically. Log files are compressed daily and signed using MD5, SHA1, and SHA256 hashing algorithms. Rotated files are organized under /var/ossec/logs/ in year/month subdirectories.
To control how long rotated logs are kept, set monitord.keep_log_days in /var/ossec/etc/local_internal_options.conf:
```
monitord.keep_log_days=90
```
The default value is 31 days.
https://documentation.wazuh.com/current/user-manual/manager/event-logging.html
2. Log retention (Wazuh Indexer — alert indices)
You can implement lifecycle policies for your data using Index State Management (ISM). ISM triggers index operations automatically based on index age, size, and document count.
To configure a retention policy, go to Wazuh Dashboard → ☰ → Indexer management → Index Management → State management policies → Create policy, and define a deletion transition using Minimum Index Age (e.g., 90d).
https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html
Let us know if you have any questions!
lucas....@wazuh.com
Jun 1, 2026, 8:27:10 AM (6 days ago) Jun 1
to Wazuh | Mailing List
Hi, I hope you're well.
Just in case you're still looking for info regarding this topic, please have a look here: https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#monitord.
Let me know if you'd need my help.
Kind regards,
Lucas.
Reply all
Reply to author
Forward
0 new messages