Remove unused index pattern
180 views
Skip to first unread message
Kirijan J
Nov 25, 2024, 10:27:56 PM11/25/24
to Wazuh | Mailing List
Hi Team,
Help me delete unused index pattern from dashboard. Seems i have two index pattern with different name. But same count of log in both index pattern.
i have attached my current index patern list from my dashboard.
Thanks,
Kirijan J
swaroop....@wazuh.com
Nov 25, 2024, 11:59:56 PM11/25/24
to Wazuh | Mailing List
Hi Kirijan J,
The index patterns which you are seeing are created as per your configuration. Even though the count is same on these index pattern, they serve different purpose.
An index is a collection of documents that relate to each other. The Wazuh indexer uses indices to store and organize security data for fast retrieval. Wazuh uses the following index patterns to store this data:
- wazuh‑alerts-*: This is the index pattern for alerts generated by the Wazuh server.
- wazuh‑archives-*: This is the index pattern for all events sent to the Wazuh server.
- wazuh‑monitoring-*: This is the index pattern for the status of the Wazuh agents.
- wazuh‑statistics-*: This is the index pattern for statistical information of the Wazuh server.
- wazuh-states-vulnerabilities-*: - This is the index pattern for information about vulnerabilities detected in the endpoints being monitored.
Please refer Wazuh indexer indices for more information.
Please refer Password management for information on getting wazuh api username and password
Let me inform you that you cannot delete the files directly. You can remove the unwanted indices by doing the following:
* For checking indexes before deleting them, use:
curl -k -u <User>:<Password> -X GET https://<Wazuh-Indexer-IP>:9200/_cat/indices/wazuh-alerts-4.x-*?v
You’ll see something like this in return:
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open wazuh-alerts-4.x-2024.11.19 819gIjqIQCSdnvvWO8E4DQ 1 0 468 0 616.2kb 616.2kb
green open wazuh-alerts-4.x-2024.11.20 ajB_eIaSTEWhNtaF7GgyRA 1 0 1 0 12kb 12kb
green open wazuh-alerts-4.x-2024.11.21 k2T_PLg0SPmtxBJlIfIU5Q 1 0 87 0 169.9kb 169.9kb
green open wazuh-alerts-4.x-2024.11.22 H7YFXIzBRzSg0vjs_axtNg 1 0 4 0 31.1kb 31.1kb
green open wazuh-alerts-4.x-2024.11.25 YuoQ4WRVRF2ycKrneUWTyA 1 0 1 0 12kb 12kb
green open wazuh-alerts-4.x-2024.11.26 h7qPTOB2Qsy0PL362eEBrg 1 0 9 0 69.7kb 69.7kb
* Once you identify the indexes you want to delete from the system, you can delete them one by one with the following command:
curl -k -u <User>:<Password> -X DELETE https://<Wazuh-Indexer-IP>:9200/<index_name>
* If you want, for example, to delete all indexes from November 2024, you can run the following command:
curl -k -u <User>:<Password> -X DELETE https://<Wazuh-Indexer-IP>:9200/wazuh-alerts-4.x-2024.11*
* If you want, for example, to delete all indexes from the whole year 2024, you can run the following command:
curl -k -u <User>:<Password> -X DELETE https://<Wazuh-Indexer-IP>:9200/wazuh-alerts-4.x-2024*
Note: Please execute these commands with caution!
Once you have deleted the old unwanted indices, it is advised you automate the DB cleaning with a retention policy. Otherwise, the DB will store data until there’s no more available space left on the disk or you reach the maximum shards limit.
Take a look at Index lifecycle management
I hope this is helpful. Let us know if you need anything else.
Regards,
Swaroop
The index patterns which you are seeing are created as per your configuration. Even though the count is same on these index pattern, they serve different purpose.
An index is a collection of documents that relate to each other. The Wazuh indexer uses indices to store and organize security data for fast retrieval. Wazuh uses the following index patterns to store this data:
- wazuh‑alerts-*: This is the index pattern for alerts generated by the Wazuh server.
- wazuh‑archives-*: This is the index pattern for all events sent to the Wazuh server.
- wazuh‑monitoring-*: This is the index pattern for the status of the Wazuh agents.
- wazuh‑statistics-*: This is the index pattern for statistical information of the Wazuh server.
- wazuh-states-vulnerabilities-*: - This is the index pattern for information about vulnerabilities detected in the endpoints being monitored.
Please refer Wazuh indexer indices for more information.
Please refer Password management for information on getting wazuh api username and password
Let me inform you that you cannot delete the files directly. You can remove the unwanted indices by doing the following:
* For checking indexes before deleting them, use:
curl -k -u <User>:<Password> -X GET https://<Wazuh-Indexer-IP>:9200/_cat/indices/wazuh-alerts-4.x-*?v
You’ll see something like this in return:
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open wazuh-alerts-4.x-2024.11.19 819gIjqIQCSdnvvWO8E4DQ 1 0 468 0 616.2kb 616.2kb
green open wazuh-alerts-4.x-2024.11.20 ajB_eIaSTEWhNtaF7GgyRA 1 0 1 0 12kb 12kb
green open wazuh-alerts-4.x-2024.11.21 k2T_PLg0SPmtxBJlIfIU5Q 1 0 87 0 169.9kb 169.9kb
green open wazuh-alerts-4.x-2024.11.22 H7YFXIzBRzSg0vjs_axtNg 1 0 4 0 31.1kb 31.1kb
green open wazuh-alerts-4.x-2024.11.25 YuoQ4WRVRF2ycKrneUWTyA 1 0 1 0 12kb 12kb
green open wazuh-alerts-4.x-2024.11.26 h7qPTOB2Qsy0PL362eEBrg 1 0 9 0 69.7kb 69.7kb
* Once you identify the indexes you want to delete from the system, you can delete them one by one with the following command:
curl -k -u <User>:<Password> -X DELETE https://<Wazuh-Indexer-IP>:9200/<index_name>
* If you want, for example, to delete all indexes from November 2024, you can run the following command:
curl -k -u <User>:<Password> -X DELETE https://<Wazuh-Indexer-IP>:9200/wazuh-alerts-4.x-2024.11*
* If you want, for example, to delete all indexes from the whole year 2024, you can run the following command:
curl -k -u <User>:<Password> -X DELETE https://<Wazuh-Indexer-IP>:9200/wazuh-alerts-4.x-2024*
Note: Please execute these commands with caution!
Once you have deleted the old unwanted indices, it is advised you automate the DB cleaning with a retention policy. Otherwise, the DB will store data until there’s no more available space left on the disk or you reach the maximum shards limit.
Take a look at Index lifecycle management
I hope this is helpful. Let us know if you need anything else.
Regards,
Swaroop
Kirijan J
Nov 26, 2024, 2:15:04 AM11/26/24
to Wazuh | Mailing List
Hi Swaroop,
Thanks for the response.
I need to remove wazuh-alert-4.x* from explorer > discover (index pattern) in wazuh dashboard. Prevously it's not available.
For dashboard related issue i have reached your support. As per their suggestion i have execute the Custom_dashboard.ndjson. After that only it was added. please refer the chat.
Thanks,
Kirijan J
Kirijan J
Nov 29, 2024, 8:50:31 AM11/29/24
to Wazuh | Mailing List
Any update on this....
swaroop....@wazuh.com
Dec 3, 2024, 3:34:56 AM12/3/24
to Wazuh | Mailing List
Hi Kirijan,
Wazuh has provided API and WebUI access to better manage the indices.
Note: Please remember that you cannot recover the data once deleted.
You will prompted again to delete index pattern, click on delete button to delete the index pattern.
You will be prompted again to confirm for deletion, type delete and hit Delete button.
You will also get a confirmation message at the right bottom of the screen.
Wazuh has provided API and WebUI access to better manage the indices.
Note: Please remember that you cannot recover the data once deleted.
If you would like to delete any index pattern from Wazuh UI, you can by simply navigating to Hamburger Menu > Dashboards Management > Dashboards Management > Index Patterns > click on the pattern you would like to delete.
Select the Delete icon on the right top corner.
You will prompted again to delete index pattern, click on delete button to delete the index pattern.
If you would like to delete any index from Wazuh UI, you can by simply navigating to Hamburger Menu > Indexer Management > Indexes. Select the Index you would like to delete by checking the checkbox before the index name, click on Actions button and select Delete option.
You will be prompted again to confirm for deletion, type delete and hit Delete button.
You will also get a confirmation message at the right bottom of the screen.
I hope this is helpful.
Regards,
Swaroop
Swaroop
Kirijan J
Dec 3, 2024, 6:29:03 AM12/3/24
to Wazuh | Mailing List
Thanks Swaroop...
Reply all
Reply to author
Forward
0 new messages