Wazuh logs
2,807 views
Skip to first unread message
Atul Chadha
Jul 27, 2022, 9:59:49 PM7/27/22
to Wazuh mailing list
Does anyone know why there are two set of logs created on wazuh master
/var/ossec/logs/archives and /var/ossec/logs/archives/2022/Jul
?
they appear to hold same set of data and consuming double the space.
Wazuh version: 4.3.5
Abdullah Al Rafi Fahim
Jul 28, 2022, 12:46:56 AM7/28/22
to Wazuh mailing list
Hello Atul,
Thank you for sharing your query with us.
Wazuh stores all the events received from the agents in the /var/ossec/logs/archives/archives.(json|log). The events that are important or of security relevance are considered as alerts and these alerts are stored at /var/ossec/logs/alerts/alerts.(json|log).
However, for both alerts and archives, logs are rotated automatically and an individual directory is created for each month and year. When you consider troubleshooting any previous logs, it is always better to store your logs day-wise than store them all together.
As you are concerned about the space consumption, you can only receive the alert logs and skip logging the archives by setting the logall and logall_json configuration at ossec.conf as:
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
</global>
</ossec_config>
Thank you for sharing your query with us.
Wazuh stores all the events received from the agents in the /var/ossec/logs/archives/archives.(json|log). The events that are important or of security relevance are considered as alerts and these alerts are stored at /var/ossec/logs/alerts/alerts.(json|log).
However, for both alerts and archives, logs are rotated automatically and an individual directory is created for each month and year. When you consider troubleshooting any previous logs, it is always better to store your logs day-wise than store them all together.
As you are concerned about the space consumption, you can only receive the alert logs and skip logging the archives by setting the logall and logall_json configuration at ossec.conf as:
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
</global>
</ossec_config>
To understand how logall & logall_json work, you may review: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall
I hope it helps. If you have any further queries, please let us know.
I hope it helps. If you have any further queries, please let us know.
Atul Chadha
Jul 28, 2022, 3:33:48 AM7/28/22
to Wazuh mailing list
Thank you Abdullah
for the prompt response, we do need to logall messages. Is it possible to turn off creating the secondly logs created under year/month folder.
We ship the alerts / archives near realtime to ELS and do not need to store them.
Abdullah Al Rafi Fahim
Jul 29, 2022, 12:36:20 AM7/29/22
to Wazuh mailing list
Hello Atul,
I believe you can not turn off creating these logs as this is part of the log rotation policy. However, as the logs are stored in different log/json files per day, you can set up a cron job in your wazuh manager machine to delete the old log files automatically. For Example:
# crontab -e
0 0 * * * find /var/ossec/logs/archives/ -type f -mtime +365 -exec rm -f {} \;
You need to specify the minute, hour and day of the month, month, or weekday for the schedule. In the example above, it will run every day at 00:00, it will find the archives files older than a year and delete them. If you want to delete files aged more than a day or two, you can just put +1 or +2 instead of +365 in the command.
You can find more information about cron jobs here:
Crontab Guru
Crontab Quick Reference
Please let us know if you need anything else.
I believe you can not turn off creating these logs as this is part of the log rotation policy. However, as the logs are stored in different log/json files per day, you can set up a cron job in your wazuh manager machine to delete the old log files automatically. For Example:
# crontab -e
0 0 * * * find /var/ossec/logs/archives/ -type f -mtime +365 -exec rm -f {} \;
You need to specify the minute, hour and day of the month, month, or weekday for the schedule. In the example above, it will run every day at 00:00, it will find the archives files older than a year and delete them. If you want to delete files aged more than a day or two, you can just put +1 or +2 instead of +365 in the command.
You can find more information about cron jobs here:
Crontab Guru
Crontab Quick Reference
Please let us know if you need anything else.
Atul Chadha
Jul 29, 2022, 6:20:36 AM7/29/22
to Wazuh mailing list
I have crons to remove old logs, was wondering if we can remove it.
Thank you for your assistance! Appreciate it..
Abdullah Al Rafi Fahim
Jul 29, 2022, 6:47:15 AM7/29/22
to Wazuh mailing list
Hello Atul,
You are always welcome! If you have any queries, feel free to ask anytime.
Atul Chadha
Aug 3, 2022, 10:28:03 PM8/3/22
to Wazuh mailing list
Hi Abdullah,
Sorry to bother you again on this, i need some clarification on internal log rotation. Is there a way to force the archive files to be created based on size / duration.
I do see options for it in ossec.conf however they dont seem to have an effect.
Dhaval
Jan 3, 2024, 8:27:54 AM1/3/24
to Wazuh | Mailing List
Hello Abdullah,
I'm suffering through similar situation,
1:
I'm suffering through similar situation,
1:
So I want to store backup of 2.5 years of wazuh's logs.
2:
2:
also I took the backup of those files from
/var/ossec/logs/archives
but how can I see those log file (how to restore those logs).
but how can I see those log file (how to restore those logs).
Reply all
Reply to author
Forward
0 new messages