Wazuh indexer full
71 views
Skip to first unread message
360 ALLROUND
Sep 5, 2023, 6:20:54 AM9/5/23
to Wazuh | Mailing List
Hi Team,
Hope you are doing well.
Currently my wazuh indexer is full only with 24 day alerts. I am pretty much familiar with clearing the indexer and adding policies.
But previously my wazuh indexer would get full only after 3 months but currently this size is reduced to 24 days. So this means that alerts before that 24 days won't be showing everytime I clear the indexer.
May I know how to increase this size to months. I've also have enough available storage of 282GB and also cleared some logs in wazuh-indexer
Please check the logs that I have attached below and let me know the steps needed t increase the indexer size showing in the console.
-Regards
Ruben
Othniel Ebolum
Sep 5, 2023, 7:08:18 AM9/5/23
to Wazuh | Mailing List
Dear customer,
Thank you for contacting Wazuh.
To address the issue of your Wazuh indexer filling up faster than before, you can take the following steps:
Firstly, configure retention policies to automatically remove logs after a specified period. This approach ensures that alerts are retained for your desired duration while automating the log management process.
While clearing the Wazuh-alerts logs is a good practice, it's also crucial to extend your efforts to clear logs from other index types, as they can occupy a significant amount of disk space. Specifically, focus on removing logs from the wazuh-monitoring-* and wazuh-statistics-* indices.
Finally, it's essential to regularly monitor your system's disk space usage and log retention to proactively address any potential storage challenges. This proactive approach ensures your Wazuh setup remains efficient and effective in the long run.
To address the issue of your Wazuh indexer filling up faster than before, you can take the following steps:
Firstly, configure retention policies to automatically remove logs after a specified period. This approach ensures that alerts are retained for your desired duration while automating the log management process.
While clearing the Wazuh-alerts logs is a good practice, it's also crucial to extend your efforts to clear logs from other index types, as they can occupy a significant amount of disk space. Specifically, focus on removing logs from the wazuh-monitoring-* and wazuh-statistics-* indices.
Finally, it's essential to regularly monitor your system's disk space usage and log retention to proactively address any potential storage challenges. This proactive approach ensures your Wazuh setup remains efficient and effective in the long run.
Regards,
360 ALLROUND
Sep 7, 2023, 2:46:29 AM9/7/23
to Wazuh | Mailing List
Hi Othniel,
Thanks for your reply
However, I have enough disk space of 218gb already left on my server, I want to know how the indexer is getting full irrespective of the the server size.
I also checked these names on my Linux server "wazuh-monitoring-*, wazuh-statistics-*" but couldn't find any location linked to this.
If you can provide any file path where the logs need to be cleared which will make the indexer size to store logs for 4 months that would be helpful.
-Regards
Ruben
360 ALLROUND
Sep 12, 2023, 4:14:57 AM9/12/23
to Wazuh | Mailing List
Hi Team,
Is there any update on this?
-Regards
Ruben
Reply all
Reply to author
Forward
0 new messages