/var/log/messages disk usage

[SP_11]

Hi

In our wazuh environment /var/log/messages have consumed 15+GB of storage. May I know 

1 - whether I actually required these files? (since wazuh alerts are getting stored in another directory)

2 - What information gets stored actually in these files? I see Syslog messages I received also inside these files

3 - Will it be possible to move the/var/log folder to another disk/partition and create a logical bind?

4 - How can I limit the events getting stored in this file

Thank you

[Jesus Linares]

Hi,

> 1 - whether I actually required these files? (since wazuh alerts are getting stored in another directory)
> 2 - What information gets stored actually in these files? I see Syslog messages I received also inside these files

The file /var/log/messages has all the global system messages located inside, including the messages that are logged during system startup. Depending on how the syslog config file is sent up, there are several things that are logged in this file including mail, cron, daemon, kern, auth, etc. More information is here.

This file is not related to the Wazuh alert directory but Wazuh (manager and agent) reads that file by default in order to analyze security-relevant events. It is an important file to analyze on any Linux server.

> 3 - Will it be possible to move the/var/log folder to another disk/partition and create a logical bind?

Yes, you can do it. In fact, it is usually recommended to protect against resource exhaustion and secure the data.

> 4 - How can I limit the events getting stored in this file

I would recommend using the tool logrotate which allows automatic rotation and compression of log files. Here is more information about it.

I hope it helps.

[SP_11]

Hi Jesus,

Thank you very much for the response. I will try it.

Thank you