How to set the log data retention to 2 year?
2,783 views
Skip to first unread message
AKat
Nov 14, 2022, 2:36:40 PM11/14/22
to Wazuh mailing list
Is there a guide on how to keep the agent logs for two years and afterwards have it removed?
Thanks
Sebastian Falcone
Nov 14, 2022, 2:53:13 PM11/14/22
to Wazuh mailing list
Hello! How's that going?
We wazuh has no mechanism of removing old logs, however and I will quote another teammate on this one:
""
We wazuh has no mechanism of removing old logs, however and I will quote another teammate on this one:
""
We have a daemon called monitord which, among other things, is in charge of rotating (and compressing) files.
When rotation is enabled and the current log file reachs some max size or is old enough, monitord creates a new file for storing new upcoming log data. The old (rotated) log file is renamed as shown below:
0 0 * * mon find /var/ossec/logs/alerts/ -type f -mtime +730 -exec rm -f {} ;
- /var/ossec/logs/wazuh/<YEAR>/<MONTH>: Rotated files ossec.log
- /var/ossec/logs/alerts/<YEAR>/<MONTH>: Rotated files alerts.log|json
- /var/ossec/logs/archives/<YEAR>/<MONTH>: Rotated files archives.log|json
- /var/ossec/logs/api/<YEAR>/<MONTH>: Rotated files api.log
- /var/ossec/logs/cluster/<YEAR>/<MONTH>: Rotated files cluster.log
- /var/ossec/logs/firewall/<YEAR>/<MONTH>: Rotated files firewall.log
0 0 * * mon find /var/ossec/logs/alerts/ -type f -mtime +730 -exec rm -f {} ;
0 0 * * mon find /var/ossec/logs/archives/ -type f -mtime +730 -exec rm -f {} ;
Monitord main configuration
There are 4 setting related to logs rotations that you can configure in the /var/ossec/etc/local_internal_options.conf file:
There are 4 setting related to logs rotations that you can configure in the /var/ossec/etc/local_internal_options.conf file:
- monitord.rotate_log: This setting enables log rotation, it is enabled by default.
- monitord.size_rotate: With this setting you can configure the maximum size of the file to trigger rotation, it is set to 512MB by default.
- monitord.daily_rotations: With this setting you can configure the maximum number of rotations per day, it is set to 12 by default.
- monitord.keep_log_days: With this setting you can configure the number of days to store the rotated logs before delete them, by default it is 31 days.
AKat
Nov 14, 2022, 3:25:04 PM11/14/22
to Wazuh mailing list
Are there suppose to be any values already in the
/var/ossec/etc/local_internal_options.conf file?
I checked it on the master wazuh manager server and it was blank. So am i suppose to add the monitord variables to a blank .conf file?
So if i wanted log retention for say 2 years I would add the following:
monitord.keep_log_days: 730
Thanks
Sebastian Falcone
Nov 15, 2022, 6:19:43 AM11/15/22
to Wazuh mailing list
"""
Are there suppose to be any values already in the /var/ossec/etc/local_internal_options.conf file?
"""
Are there suppose to be any values already in the /var/ossec/etc/local_internal_options.conf file?
"""
- The local_internal_options.conf will be empty, the default values are located at /var/ossec/etc/internal_options.conf (this file will be overwritten during upgrades)
"""
So if i wanted log retention for say 2 years I would add the following:
monitord.keep_log_days: 730
"""
"""
- The maximum value for the monitord.keep_log_days is 500, you can check all the configurations for the local_internal_options.conf on the documentation
- I think you best option for what you want is to use a cronjob to remove or move to another location the old logs
Reply all
Reply to author
Forward
0 new messages