Clean up after removing indexes from dash board

[felixm]

Hello,

I'm seeing an issue where index files are not cleaned up completely when deleating them from the dash board.  Though the indexes are no longer shown on the dash board the files still persist on the disk.

Example:



Is it safe to just manually remove these .gz files or is there a better way?

Thanks,
felix

[Nicolas Zapata]

Hi,

The .gz files you're seeing are archived logs that remain on disk even after deleting their indexes from the dashboard. This is expected behavior, as Wazuh does not automatically remove log files when indexes are deleted.

Yes, it's safe to delete them manually if you're sure they're no longer needed and not being used.

Here is more information about these .gz logs:

https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#log-compression-and-rotation

Alternatively, you can move them to a backup location if you want to keep them.

[Nicolas Zapata]

Additionally, if the indexes are being deleted manually from the dashboard, it would be advisable to implement a retention policy to automate this process and avoid having to clean up old files manually.

Another option is to configure a crontab on the Wazuh server to automatically remove archived logs after a certain number of days. For example:

45 0 * * * find /var/ossec/logs/alerts/ -type f -mtime +366 -exec rm -f {} \; 45 1 * * * find /var/ossec/logs/archives/ -type f -mtime +366 -exec rm -f {} \;

This will run daily at 12:45 AM for the alerts folder and at 1:45 AM for the archives folder, deleting files older than 366 days. The number of days (-mtime +366) can be adjusted according to retention needs. After adding the lines to the crontab file, simply save the changes and the cleanup will be executed automatically.