is there a way to delete all data from agent in wazuh web interface?

[John Kondur]

Basically I have some clients that I am removing since no longer needed, and I want to purge all the data from the wazuh web interface.

I already removed the agents in the command line using /var/ossec/bin/manage_agents

But is there an easy way to do it with elasticsearch I guess?

Thanks

[Jose Luis Ruiz]

Good morning John,

If you are using the last version from Wazuh-Plugin in Kibana (2.1.0_5.5.2) you have three new buttons

- Add new agent

- Refresh the list of agents

- Delete one or more than one agent.

You can take a look from the screenshot in this mail where i show you the new options.

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ac5627ae-fd32-4cc7-bf78-0a1953c18816%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[John Kondur]

Oh I see that option, but the agents re already gone in the list, becuase I did remove from command line with /var/ossec/bin/manage_agents

The problem is you see where it shows higher activity and then lists wazuh-manager, for mine the higher activity shows an agent that is no longer there, so when you click it I get an error:

Agents: Wazuh API returned an error message. Error: Agent does not exist: 009

I am just trying to clean up old data, what is the difference between deleting from the interface and using /var/ossec/bin/manage_agents?  In the future I should just do it from web interface like above?

Thanks

On Fri, Aug 25, 2017 at 12:36 PM, Jose Luis Ruiz <jo...@wazuh.com> wrote:

Good morning John,

If you are using the last version from Wazuh-Plugin in Kibana (2.1.0_5.5.2) you have three new buttons

- Add new agent

- Refresh the list of agents

- Delete one or more than one agent.

You can take a look from the screenshot in this mail where i show you the new options.

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

On August 25, 2017 at 12:05:00 PM, John Kondur (kongf...@gmail.com) wrote:

Basically I have some clients that I am removing since no longer needed, and I want to purge all the data from the wazuh web interface.

I already removed the agents in the command line using /var/ossec/bin/manage_agents

But is there an easy way to do it with elasticsearch I guess?

Thanks

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Jose Luis Ruiz]

Hi John,

Remove one agent doesn’t mean remove the logs that have been generated for this agent until the moment that you remove it, the logs still there, the logs still in the system.

The option to remove the agent from the WazuhAPP uses the same manage_agents manage by the API, so really you are running the same command.

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

[John Kondur]

That makes sense,  but is there no easy way to clear the data from say elasticsearch? for all of one host?

[Jose Luis Ruiz]

Hi John,

No, there is no a easy way to clear specific documents from elastic at the moment with WazuhAPP.

You can run deletes using Elastic API.

https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-delete-by-query.html

But take care, once one log is deleted, is deleted.

I’m not an expert in Elastic, sorry i cannot help here to show you the exactly elastic query to run in oder to delete all information where agent.name = “xxxxxx”.

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

[Michael McCarn]

I know this is an old topic, but I ran into the same challenge while figuring out how to install Wazuh.

On my system running the virtual appliance (updated to wazuh-manager-3.1.0-1.x86_64 / elasticsearch-6.1.2-1.noarch), I was able to delete data related to outdated agents like this:

1) Use "Discover" to create a query that identifies the entries from the agent to be deleted, 'edit' the query, then use 'Edit Query DSL' to get the query details.  I used "agent.name", but presumably this could also be done using "agent.id", "predecoder.hostname", etc.

On my system, I ended up with this:

{
  "query": {
    "match": {
      "agent.name": {
        "query": "Blacksburg133",
        "type": "phrase"
      }
    }
  }
}

2) use Dev Tools to run _delete_by_query as shown below.
* "/wazuh*/" will delete all entries form all "wazuh-alerts-*" and "wazuh-monitor-*" indexes
* remove the "type" specification from the query created by Discover (I get an error in the results otherwise)

POST /wazuh*/_delete_by_query
{
   "query": {
    "match": {
      "agent.name": {
        "query": "Blacksburg133"
      }
    }
  }
}

Success generates output like this (I didn't save the original output, so this example shows all zeros):

{
  "took": 17,
  "timed_out": false,
  "total": 0,
  "deleted": 0,
  "batches": 0,
  "version_conflicts": 0,
  "noops": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "throttled_millis": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0,
  "failures": []
}

[Dmitriy]

Try to do this query:

POST wazuh-alerts-*/_delete_by_query
{
  "query": {
    "match": {
    "agent.name": "Blacksburg133"
    }
  }
}

воскресенье, 21 января 2018 г., 17:59:05 UTC+3 пользователь Michael McCarn написал:

[Jose Luis Ruiz]

Hi Dmitriy +1 to this query:

POST wazuh-alerts-*/_delete_by_query
{
  "query": {
    "match": {
    "agent.name": "your agent name"
    }
  }
}

Regards

————————

José Luis Ruiz.

Wazuh Inc.

jo...@wazuh.com