alerts.log and alerts.json

591 views
Skip to first unread message

Bilal Al-saghier

unread,
Jan 20, 2023, 10:10:31 AM1/20/23
to Wazuh mailing list
Hello Wazuh team!

What's the difference between alerts.log and alerts.json files and why we need to store both? I understand that keeping log files in the backend is necessary for backup purposes and to be compliant to global security standards. my question is if there's no point in storing .log files so that we can delete them to free up space and only keep the .json files assuming this will fulfil the need of backup and compliance. 

Thanks a lot!
Bilal

Emiliano Zorn

unread,
Jan 20, 2023, 12:15:53 PM1/20/23
to Wazuh mailing list
Hello Bilal! Hope you are well.


Both alerts and non-alert events are stored in files on the Wazuh server, in addition to being sent to the Wazuh indexer. These files can be written in JSON format (.json), or plain text format (.log). These files are daily compressed and signed using MD5, SHA1, and SHA256 checksums.
  • The file /var/ossec/logs/archives/archives.json contains all events whether they tripped a rule or not.
  • The file /var/ossec/logs/alerts/alerts.json contains only events that tripped a rule with high enough priority (the threshold is configurable).


However, you may choose to dispense with storing archive files and simply rely on the Wazuh indexer for archive storage.
To achieve this, you have to disable the logging in the server(s)'s configuration (that is, ossec.conf ). These are the options you have:
  • alerts_log
This toggles the writing of alerts to /var/ossec/logs/alerts/alerts.log.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#alerts-log


Warning

Disabling JSON and plain text formatted alerts simultaneously is not compatible with the integrator, syslog client or email features.



  • logall
This toggles whether to store events even when they do not trip a rule with results written to /var/ossec/logs/archives/archives.log.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall
  • logall_json
This toggles whether to store events even when they do not trip a rule with results written to /var/ossec/logs/archives/archives.json.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json
  • jsonout_output
This toggles the writing of JSON-formatted alerts to /var/ossec/logs/alerts/alerts.json which would include the same events that would be sent to alerts.log, only in JSON format.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#jsonout-output


Regards.

Bilal Al-saghier

unread,
Jan 21, 2023, 7:25:54 AM1/21/23
to Wazuh mailing list
Hello Emiliano,

Thanks for your useful explanation! 

May you please elaborate more on this statement? 
"Warning | Disabling JSON and plain text formatted alerts simultaneously is not compatible with the integrator, syslog client or email features." I feel a bit confused about it. 
Please note I don't want to disable the JSON-formatted alerts/archives because they are essential to us for auditing and backup purposes. I only want to disable the plain-text logging of them because I believe they are useless to me and they are just consuming space! I Want just to make sure that this won't impact anything.
 
Sincerely,
Bilal

moosemaimer

unread,
Jan 24, 2023, 11:35:38 AM1/24/23
to Wazuh mailing list
The only thing I noticed by disabling the .log files and only having the .json ones, is that if a number of alerts generate email alerts at roughly the same time, the manager will no longer group them into a single email; they will all get a separate email. I keep them both on and my daily backup script deletes the .log.gz files and leaves the .json.gz ones.

Emiliano Zorn

unread,
Feb 3, 2023, 2:11:46 PM2/3/23
to moosemaimer, Wazuh mailing list
Hello team!

Sorry for the late reply, I was on holiday and had not been able to attend to these matters.

Regarding your question Bilal, you can disable plain-text logs without problems, I just attached the warning so you can keep in mind that you can not disable both JSON and Plain-text.

Regarding your question Moosemaimer, maybe you have one of these configurations applied:

do_not_delay

This causes email alerts to be sent right away, rather than to be delayed for the purpose of batching multiple alerts together.

do_not_group

This disables the grouping of multiple alerts into the same email



Hope this information helps.
Regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/16605349-e844-4c68-b1e2-b6643de0b02an%40googlegroups.com.


--

Emiliano Zorn

IT Security Engineer | Wazuh.inc

www.wazuh.com

Reply all
Reply to author
Forward
0 new messages