I want to backup and alerts logs from Wazuh
55 views
Skip to first unread message
Le Sok
Jun 24, 2024, 10:18:41 PM (8 days ago) Jun 24
to Wazuh | Mailing List
Hello everyone,
My problem is full shards. How can I save shards and backup to the storage and delete shards on wazuh manager to fix the problem.
please guide me how to backup shards.
best regards.
My problem is full shards. How can I save shards and backup to the storage and delete shards on wazuh manager to fix the problem.
please guide me how to backup shards.
best regards.
Stuti Gupta
Jun 24, 2024, 10:44:09 PM (8 days ago) Jun 24
to Wazuh | Mailing List
Hi team!
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Stuti Gupta
Jun 25, 2024, 12:46:12 AM (8 days ago) Jun 25
to Wazuh | Mailing List
Shards are containers that hold documents within an index, which is a collection of related documents. These shards distribute the documents across different locations to manage data efficiently and ensure redundancy. By managing indices and leveraging backups, you can secure and ensure the redundancy of your Wazuh data without needing to directly handle individual shard locations.
Indices Snapshot
You can snapshot Wazuh indices. A snapshot is a backup taken from a running Indexer cluster. You can take snapshots of the entire cluster, including all or any of its indices.
It is important to note that snapshots are incremental; a newer snapshot of an index will only store information that is not part of the previous one, reducing overhead. You can also delete or reallocate unassigned shards first before talking the snapshot. For more information, refer to the https://documentation.wazuh.com/current/user-manual/wazuh-indexer/migrating-wazuh-indices.html.
To sort shards by deleting or reallocating unassigned ones:
1. Check Indexer Cluster Health:
This will provide useful information like Cluster Name, Cluster Status, Number of Nodes, Active Primary Shards, Active Shards, Relocating Shards, Active Shards, and Unassigned Shards (e.g., 219).
curl -XGET -k -u user:pass "https://localhost:9200/_cluster/health"
2. Check All Indexer Unassigned Shards:
Find the name and current state of unassigned shards with:
curl -XGET -k -u admin:admin "https://localhost:9200/_cat/shards?h=index,shards,state,prirep,unassigned.reason" | grep UNASSIGNED
3. Delete Unassigned Shards.
Use the following command to delete unassigned shards:
curl -k -XGET -u user:pass "https://<elasticsearch>:9200/_cat/shards" | grep UNASSIGNED | awk '{print $1}' | xargs -i curl -k -XDELETE -u user:pass "https://<indexer_ip>:9200/{}"
For more details, refer to https://www.cyberithub.com/how-to-delete-elasticsearch-unassigned-shards/
Additionally, you can add a indexer node. Thus maximizing the potential of Wazuh to effectively monitor and protect your growing IT infrastructure. Adding a new node to the Wazuh indexer cluster can enhance the capacity and resilience of the security monitoring infrastructure. https://documentation.wazuh.com/current/user-manual/upscaling/adding-indexer-node.html
Hope this helps
Indices Snapshot
You can snapshot Wazuh indices. A snapshot is a backup taken from a running Indexer cluster. You can take snapshots of the entire cluster, including all or any of its indices.
It is important to note that snapshots are incremental; a newer snapshot of an index will only store information that is not part of the previous one, reducing overhead. You can also delete or reallocate unassigned shards first before talking the snapshot. For more information, refer to the https://documentation.wazuh.com/current/user-manual/wazuh-indexer/migrating-wazuh-indices.html.
To sort shards by deleting or reallocating unassigned ones:
1. Check Indexer Cluster Health:
This will provide useful information like Cluster Name, Cluster Status, Number of Nodes, Active Primary Shards, Active Shards, Relocating Shards, Active Shards, and Unassigned Shards (e.g., 219).
curl -XGET -k -u user:pass "https://localhost:9200/_cluster/health"
2. Check All Indexer Unassigned Shards:
Find the name and current state of unassigned shards with:
curl -XGET -k -u admin:admin "https://localhost:9200/_cat/shards?h=index,shards,state,prirep,unassigned.reason" | grep UNASSIGNED
3. Delete Unassigned Shards.
Use the following command to delete unassigned shards:
curl -k -XGET -u user:pass "https://<elasticsearch>:9200/_cat/shards" | grep UNASSIGNED | awk '{print $1}' | xargs -i curl -k -XDELETE -u user:pass "https://<indexer_ip>:9200/{}"
For more details, refer to https://www.cyberithub.com/how-to-delete-elasticsearch-unassigned-shards/
Additionally, you can add a indexer node. Thus maximizing the potential of Wazuh to effectively monitor and protect your growing IT infrastructure. Adding a new node to the Wazuh indexer cluster can enhance the capacity and resilience of the security monitoring infrastructure. https://documentation.wazuh.com/current/user-manual/upscaling/adding-indexer-node.html
Hope this helps
Le Sok
Jun 25, 2024, 3:00:40 AM (8 days ago) Jun 25
to Wazuh | Mailing List
Do u have any command to run on Dev tool because I run on CLT it's look like not work
how do I check IP in indexer and eelasticsearch ?
Stuti Gupta
Jun 27, 2024, 6:43:14 AM (6 days ago) Jun 27
to Wazuh | Mailing List
Hi le Sok.
Your command is working fine. You are not getting any results because you dont have unassigned shards, to check you need to first run the Indexer Cluster Health command. This will provide useful information like Cluster Name, Cluster Status, Number of Nodes, Active Primary Shards, Active Shards, Relocating Shards, Active Shards, and Unassigned Shards (e.g., 219).output will be the same as:
{"cluster_name":"wazuh-cluster","status":"green","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":68,"active_shards":68,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}
The bold part is the no. of unassigned shards if this is 0 the second will not give any output as the second command is for find the name and current state of unassigned shard.
You can find the Indexer IP in the Filebeat config file, For example:
output.elasticsearch.hosts:
- 127.0.0.1:9200
All to free up the same space you can also manually delete the old index:
It is necessary to delete old indices if they are of no use. It is necessary to check what the indices stored in the environment, the following API call can help:
GET _cat/indices
Then, it is necessary to delete indices that are not needed or older indices. Bear in mind that this cannot be retrieved unless there are backups of the data either using snapshots or Wazuh alerts backups.
The API call to delete indices is:
DELETE <index_name>
Or CLI command
# curl -k -u admin:admin -XDELETE https://<WAZUH_INDEXER_IP>:9200/wazuh-alerts-4.x-YYYY.MM.DD
You can use wildcards (*) to delete more indices in one query.
Hope this helps
Your command is working fine. You are not getting any results because you dont have unassigned shards, to check you need to first run the Indexer Cluster Health command. This will provide useful information like Cluster Name, Cluster Status, Number of Nodes, Active Primary Shards, Active Shards, Relocating Shards, Active Shards, and Unassigned Shards (e.g., 219).output will be the same as:
{"cluster_name":"wazuh-cluster","status":"green","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":68,"active_shards":68,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}
The bold part is the no. of unassigned shards if this is 0 the second will not give any output as the second command is for find the name and current state of unassigned shard.
You can find the Indexer IP in the Filebeat config file, For example:
output.elasticsearch.hosts:
- 127.0.0.1:9200
All to free up the same space you can also manually delete the old index:
It is necessary to delete old indices if they are of no use. It is necessary to check what the indices stored in the environment, the following API call can help:
GET _cat/indices
Then, it is necessary to delete indices that are not needed or older indices. Bear in mind that this cannot be retrieved unless there are backups of the data either using snapshots or Wazuh alerts backups.
The API call to delete indices is:
DELETE <index_name>
Or CLI command
# curl -k -u admin:admin -XDELETE https://<WAZUH_INDEXER_IP>:9200/wazuh-alerts-4.x-YYYY.MM.DD
You can use wildcards (*) to delete more indices in one query.
Hope this helps
Le Sok
Jun 30, 2024, 9:28:15 PM (2 days ago) Jun 30
to Wazuh | Mailing List
I don't understand, Should need to backup all of this or not ?
I see alot of this and how to delete once 10 or 20 indices
I see alot of this and how to delete once 10 or 20 indices
how can I view on this Indices
Best regards
Best regards
Stuti Gupta
Jul 2, 2024, 5:42:37 AM (22 hours ago) Jul 2
to Wazuh | Mailing List
If you need them in the future you can backup them up using this documentation:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/migrating-wazuh-indices.html.
For deleting these indices you can refer to the follwing solution:
Solution 1: IML polices
In Wazuh Indexer, you have to set the days for how long you want to keep data in the hot state (fast access data that requires more RAM), cold state (slower access data that requires less RAM,) and the deletion state. An example would be 30 days before moving hot data to a cold state and 360 days before sending data to a deletion state.
After the creation of the retention policy, you must apply it to the existent indices (wazuh-alerts-* and/or wazuh-archives-*) and also add the wazuh template to it so new indices (that are created every day) are also included in the retention policy. All is well explained in our blog.
You can check the retention policies in:
Indexer Management >> Index Management >> Policy managed indices
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html
Solution2: Using command:
It is necessary to delete old indices if they are of no use. It is necessary to check what the indices stored in the environment, the following API call can help:
GET _cat/indices
Then, it is necessary to delete indices that are not needed or older indices. Bear in mind that this cannot be retrieved unless there are backups of the data either using snapshots or Wazuh alerts backups.
The API call to delete indices is:
DELETE <index_name>
Or CLI command
# curl -k -u admin:admin -XDELETE https://<WAZUH_INDEXER_IP>:9200/wazuh-alerts-4.x-YYYY.MM.DD
You can use wildcards (*) to delete more indices in one query.
Hope this helps
For deleting these indices you can refer to the follwing solution:
Solution 1: IML polices
In Wazuh Indexer, you have to set the days for how long you want to keep data in the hot state (fast access data that requires more RAM), cold state (slower access data that requires less RAM,) and the deletion state. An example would be 30 days before moving hot data to a cold state and 360 days before sending data to a deletion state.
After the creation of the retention policy, you must apply it to the existent indices (wazuh-alerts-* and/or wazuh-archives-*) and also add the wazuh template to it so new indices (that are created every day) are also included in the retention policy. All is well explained in our blog.
You can check the retention policies in:
Indexer Management >> Index Management >> Policy managed indices
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html
Solution2: Using command:
It is necessary to delete old indices if they are of no use. It is necessary to check what the indices stored in the environment, the following API call can help:
GET _cat/indices
Then, it is necessary to delete indices that are not needed or older indices. Bear in mind that this cannot be retrieved unless there are backups of the data either using snapshots or Wazuh alerts backups.
The API call to delete indices is:
DELETE <index_name>
Or CLI command
# curl -k -u admin:admin -XDELETE https://<WAZUH_INDEXER_IP>:9200/wazuh-alerts-4.x-YYYY.MM.DD
You can use wildcards (*) to delete more indices in one query.
Hope this helps
Reply all
Reply to author
Forward
0 new messages