Observation on Disk Consumption Pattern and Log Rotation

[Chandra pal singh Chauhan]

Dear Team,

We have observed a gradual increase in disk consumption over time, followed by a sudden drop during log rotation.

Could you please help us understand this pattern and advise on how we can effectively manage or mitigate it?

Looking forward to your guidance.

Regards,

Chandra

[Olamilekan Abdullateef Ajani]

Hello Chandra,

What you are seeing is normal for logs being ingested and rotated/cleaned up, removed, or compressed. Which explains why the graph looks like a repeated up-and-down pattern.

To manage it better, I would suggest tightening your retention policy (especially if you have archives turned on, you can disable it), making sure your index lifecycle is set to delete old indices, and reducing any noisy logs if possible. If the log volume is high, you may also need to increase disk size or scale the indexer (by adding more nodes).
You can also manually delete the old compressed archives in /var/ossec/logs/archives/ and alerts and tag them with a crontab.

find /var/ossec/logs/archives/ -type f -mtime +7 -delete
find /var/ossec/logs/alerts/ -type f -mtime +7 -delete

Ref:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html