Observation on Disk Consumption Pattern and Log Rotation

[Chandra pal singh Chauhan]

Dear Team,

We have observed a gradual increase in disk consumption over time, followed by a sudden drop during log rotation.

Could you please help us understand this pattern and advise on how we can effectively manage or mitigate it?

Looking forward to your guidance.

Regards,

Chandra

[Olamilekan Abdullateef Ajani]

Hello Chandra,

What you are seeing is normal for logs being ingested and rotated/cleaned up, removed, or compressed. Which explains why the graph looks like a repeated up-and-down pattern.

To manage it better, I would suggest tightening your retention policy (especially if you have archives turned on, you can disable it), making sure your index lifecycle is set to delete old indices, and reducing any noisy logs if possible. If the log volume is high, you may also need to increase disk size or scale the indexer (by adding more nodes).
You can also manually delete the old compressed archives in /var/ossec/logs/archives/ and alerts and tag them with a crontab.

find /var/ossec/logs/archives/ -type f -mtime +7 -delete
find /var/ossec/logs/alerts/ -type f -mtime +7 -delete

Ref:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html

[Chandra pal singh Chauhan]

Hello Olamilekan,

Thanks for the response and help.

I have already disabled the archive and delete all the log files and now i think only one way which is increase disk size so i tried to increase disk.

Regards,

Chandra

[Olamilekan Abdullateef Ajani]

Hello Chandra,

Per the last conversation, I would like to follow up on this. Were you able to increase the disk size, and was the issue resolved?

Please let me know if you require further assistance on this.

Regards,

[Chandra pal singh Chauhan]

Hello  Olamilekan

we have increase the disk size and server is now optimize.