Depuración de datos en Wazuh
704 views
Skip to first unread message
José Manuel de León Rodas
Oct 13, 2023, 4:51:38 PM10/13/23
to Wazuh | Mailing List
Cómo se pueden depurar o borrar los datos que wazuh ha recopilado en su periodo de prueba, para poder iniciar en producción con un servidor limpio
mariano hinjos
Oct 17, 2023, 2:41:59 AM10/17/23
to Wazuh | Mailing List
Hola
Normalmente vas a obtener mejores resultados preguntando en inglés, puedes usar cualquier traductor si tienes dificultades,yo así lo hago.
Respondiendo a tu pregunta, yo te puedo indicar como puedes eliminar índices, primero consulta:
curl "https://127.0.0.1:9200/_cat/indices/wazuh-alerts-4.x-2023.10*" --insecure -u usuario:password -k (Indica año 2025 mes 10)
Borradocurl -X DELETE "https://127.0.0.1:9200/wazuh-alerts-4.x-2023.10.*?pretty" -u usuario:password -k
Por ejemplo, no s esi es lo que necesitas
Matias Braida
Oct 17, 2023, 8:22:50 AM10/17/23
to Wazuh | Mailing List
Hello Jose,
First of all, thanks for using Wazuh.
To allow all users to find information and understand questions/replies of the community, the preferred language is English.
To clean old index data you can do the following:
* For checking indexes before deleting them, use:
curl -k -u <User>:<Password> -X GET https://<Wazuh-Indexer-IP>:9200/_cat/indices/wazuh-alerts-4.x-*?v
You’ll see something like this in return:
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open wazuh-alerts-4.x-2021.05.13 819gIjqIQCSdnvvWO8E4DQ 1 0 468 0 616.2kb 616.2kb
green open wazuh-alerts-4.x-2021.05.14 ajB_eIaSTEWhNtaF7GgyRA 1 0 1 0 12kb 12kb
green open wazuh-alerts-4.x-2021.05.17 k2T_PLg0SPmtxBJlIfIU5Q 1 0 87 0 169.9kb 169.9kb
green open wazuh-alerts-4.x-2021.06.29 H7YFXIzBRzSg0vjs_axtNg 1 0 4 0 31.1kb 31.1kb
green open wazuh-alerts-4.x-2021.05.18 YuoQ4WRVRF2ycKrneUWTyA 1 0 1 0 12kb 12kb
green open wazuh-alerts-4.x-2021.08.09 h7qPTOB2Qsy0PL362eEBrg 1 0 9 0 69.7kb 69.7kb
* Once you identify the indexes you want to delete from the system, you can delete them one by one with the following command:
curl -k -u <User>:<Password> -X DELETE https://<Wazuh-Indexer-IP>:9200/<index_name>
* If you want, for example, to delete all indexes from january 2021, you can run the following command:
curl -k -u <User>:<Password> -X DELETE https://<Wazuh-Indexer-IP>:9200/wazuh-alerts-4.x-2021.01*
* If you want, for example, to delete all indexes from the whole year 2021, you can run the following command:
curl -k -u <User>:<Password> -X DELETE https://<Wazuh-Indexer-IP>:9200/wazuh-alerts-4.x-2021*
Execute this process carefully!
Also, you could remove your test agents from the wazuh manager using the wazuh API:
First, you need to authenticate using user and password.
curl -u <USER>:<PASSWORD> -k -X POST "https://<Wazuh-Manager-IP>:55000/security/user/authenticate"
With this command, you get the authentication token you will use in further requests to the manager.
Please check the link: https://documentation.wazuh.com/current/user-manual/api/reference.html#section/Authentication
Then you could execute the remove request using this obtained token. With this command:
curl -k -X DELETE "https://<Wazuh-Manager-IP>:55000/agents?pretty=true&older_than=0s&agents_list=<AGENT_ID_1>,<AGENT_ID_2>,<AGENT_ID_n>&status=all" -H "Authorization: Bearer <YOUR_JWT_TOKEN>"
With this command, you could remove a list of agents.
Please check the link: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.delete_agents
Also take a look at this link: https://documentation.wazuh.com/current/user-manual/agents/remove-agents/restful-api-remove.html
For this step, you could also use the dashboard console if you prefer.
Hope this helps.
Regards
First of all, thanks for using Wazuh.
To allow all users to find information and understand questions/replies of the community, the preferred language is English.
To clean old index data you can do the following:
* For checking indexes before deleting them, use:
curl -k -u <User>:<Password> -X GET https://<Wazuh-Indexer-IP>:9200/_cat/indices/wazuh-alerts-4.x-*?v
You’ll see something like this in return:
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open wazuh-alerts-4.x-2021.05.13 819gIjqIQCSdnvvWO8E4DQ 1 0 468 0 616.2kb 616.2kb
green open wazuh-alerts-4.x-2021.05.14 ajB_eIaSTEWhNtaF7GgyRA 1 0 1 0 12kb 12kb
green open wazuh-alerts-4.x-2021.05.17 k2T_PLg0SPmtxBJlIfIU5Q 1 0 87 0 169.9kb 169.9kb
green open wazuh-alerts-4.x-2021.06.29 H7YFXIzBRzSg0vjs_axtNg 1 0 4 0 31.1kb 31.1kb
green open wazuh-alerts-4.x-2021.05.18 YuoQ4WRVRF2ycKrneUWTyA 1 0 1 0 12kb 12kb
green open wazuh-alerts-4.x-2021.08.09 h7qPTOB2Qsy0PL362eEBrg 1 0 9 0 69.7kb 69.7kb
* Once you identify the indexes you want to delete from the system, you can delete them one by one with the following command:
curl -k -u <User>:<Password> -X DELETE https://<Wazuh-Indexer-IP>:9200/<index_name>
* If you want, for example, to delete all indexes from january 2021, you can run the following command:
curl -k -u <User>:<Password> -X DELETE https://<Wazuh-Indexer-IP>:9200/wazuh-alerts-4.x-2021.01*
* If you want, for example, to delete all indexes from the whole year 2021, you can run the following command:
curl -k -u <User>:<Password> -X DELETE https://<Wazuh-Indexer-IP>:9200/wazuh-alerts-4.x-2021*
Execute this process carefully!
Also, you could remove your test agents from the wazuh manager using the wazuh API:
First, you need to authenticate using user and password.
curl -u <USER>:<PASSWORD> -k -X POST "https://<Wazuh-Manager-IP>:55000/security/user/authenticate"
With this command, you get the authentication token you will use in further requests to the manager.
Please check the link: https://documentation.wazuh.com/current/user-manual/api/reference.html#section/Authentication
Then you could execute the remove request using this obtained token. With this command:
curl -k -X DELETE "https://<Wazuh-Manager-IP>:55000/agents?pretty=true&older_than=0s&agents_list=<AGENT_ID_1>,<AGENT_ID_2>,<AGENT_ID_n>&status=all" -H "Authorization: Bearer <YOUR_JWT_TOKEN>"
With this command, you could remove a list of agents.
Please check the link: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.delete_agents
Also take a look at this link: https://documentation.wazuh.com/current/user-manual/agents/remove-agents/restful-api-remove.html
For this step, you could also use the dashboard console if you prefer.
Hope this helps.
Regards
Reply all
Reply to author
Forward
0 new messages