Archive data retention
Mitsuru
Md. Nazmur Sakib
Hope you are doing well!
I am looking into your query. Please allow me a few minutes.
Md. Nazmur Sakib
Wazuh Archive:
When a log/event is forwarded from an endpoint to the Wazuh manager the Wazuh manager compares the log against its rules and if the logs trip a rule and trigger alerts, the alerts are saved in alerts.log. Wazuh does not save any raw logs that are forwarded from the endpoints.
When the archive log is enabled, wazuh archives store all events received by the Wazuh server, whether or not they trip a rule. By default, Wazuh archives are disabled because they store a large number of logs on the Wazuh server. You can enable it if needed.
Data retention Wazuh:
Data in Wazuh is stored in two-level
Wazuh-manager level: Wazuh manager saves data for alerts logs and archive logs in the following folders
/var/ossec/logs/alerts/Year/Mon/
/var/ossec/logs/archives/Year/Mon/
There is no retention policy for these logs. Wazuh does not delete any of the logs unless you manually delete them by yourself.
Indexer level :
Wazuh also saves logs at the index level. By default, archive logs do not have indices, You configure to create indices for archive logs following this
https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html#visualizing-the-events-on-the-dashboard
You can go to Index Management > Indices to check those indices.
You can follow this document to let up log retention at the index level.
Let me know if you need any further information.
Md. Nazmur Sakib
Let me know if you any further information regarding this.