The problem with the location
16 views
Skip to first unread message
WiFi
Oct 31, 2025, 10:51:31 AM (5 days ago) Oct 31
to Wazuh | Mailing List
Good day to everyone!
I would like to clarify.
I have a distributed installation:
1) Wazuh indexer
2) Wazuh server
3) wazuh dashboard
I would like to clarify what data is stored on the indexer and what data is stored on the wazuh server
on the Wazuh server, I found that I have archives of my events in the path /var/ossec/logs/alerts
so what is stored on the Wazuh indexer?
I would like to clarify.
I have a distributed installation:
1) Wazuh indexer
2) Wazuh server
3) wazuh dashboard
I would like to clarify what data is stored on the indexer and what data is stored on the wazuh server
on the Wazuh server, I found that I have archives of my events in the path /var/ossec/logs/alerts
so what is stored on the Wazuh indexer?
Olamilekan Abdullateef Ajani
Oct 31, 2025, 12:01:46 PM (5 days ago) Oct 31
to Wazuh | Mailing List
Hello Devsec,
To clarify, yes you are correct, the wazuh server stores the alert information, archives, it also handles agent connection and enrollment service and stores their data while it also contains configuration files, like the ossec, rules, lists and decoders. Filebeat also resides with the wazuh server and it is responsible for connecting/shipping alerts to the wazuh indexer for indexing. The rule matching, decoding is also handled by the wazuh manager.
While for the wazuh indexer, think of it as the analytics engine. All the events and alerts triggered by the rules on the wazuh server are sent and indexed on the wazuh indexer so when you search and comb through logs on the dashboard, the indexer is what is making that happen because it contains indices.
You can run this on the wazuh indexer to see the indices present: curl -k -u admin:indexer-pass -X GET "https://localhost:9200/_cat/indices?v"
You can run this on the wazuh indexer to see the indices present: curl -k -u admin:indexer-pass -X GET "https://localhost:9200/_cat/indices?v"
The indexer is also responsible for the storage of those indices/ raw data events. when you see things like
wazuh-alerts-* (
Alerts generated by Wazuh rules (main searchable data)
),
wazuh-statistics-* (
Internal Wazuh stats (EPS, queue load, etc.)
),
wazuh-states-* (
Syscollector, vulnerability inventory, system info), these are some of the things that resides on the wazuh indexer
The Indexer stores all historical, quarriable event data that powers dashboards, searches, and analytics, which makes it very powerful and key in the wazuh instance.You can find more information about the wazuh components in the documentation below and the roles they play.
Reply all
Reply to author
Forward
0 new messages