Server storage is Full

[Usman Ali]

Hi,

   I am facing a problem for few days my wazuh server storage is full

what should I do?

Can someone explain me in simple steps?

ASAP

I even not be able to upgrade

[Chema Martinez]

Hi,

Thanks for using Wazuh.

First of all, could you tell me if your storage issue is in the manager? And also, how much space is dedicated to the Wazuh installation?

As you can see in the documentation, an average estimation is included.

https://documentation.wazuh.com/current/installation-guide/wazuh-server/index.html?

In a Wazuh manager, the storage depends on the number of agents reporting to that manager as well as the things that are being monitored for those agents. In particular, we can differentiate in the following:

• Agents databases: a SQLite database is created for each monitored agent where reports are stored from modules such as FIM, SCA, or Vulnerability Detector. They are located at /var/ossec/queue/db.
• On the other hand, alerts are stored at /var/ossec/logs/alerts. The number of generated alerts depends on the monitored activity of the agents.

To find out what can be the cause of your storage issue, could you please run the following command and share the output?

 # du -h --exclude=framework /var/ossec

Thank you in advance!

[Usman Ali]

Hi Chema,

            Thanks for the  quick response, I have attached  the output file for command ( # du -h --exclude=framework /var/ossec)  and output 2 file for the command (df -h)in the text document, Kindly have a look at it and guide me accordingly.

Thanks in advnace

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/DtG8MLaOQQ8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f11f7499-a49a-4a7d-a62e-fbd32e23abf0n%40googlegroups.com.

[Chema Martinez]

Hi again,

Thank you for providing the requested information.

I see that the full Wazuh installation takes 2.5GB, this is a normal value when talking about a manager. The most relevant folders regarding the storage are:

• /var/ossec/logs (1.3GB) where all the logs and alerts are stored. Inside this folder, 990MB are occupied by rotated alerts (/var/ossec/logs/alerts) since August 2021. I suggest you to move these rotated files of alerts to a new location where you have more free space. In addition, if you don't need to keep these old alerts, you can remove them periodically as well.
• /var/ossec/queue (1.2GB) where the heaviest file is the vulnerability database located at /var/ossec/queue/vulnerabilities/cve.db, this is the database where all the vulnerabilities are indexed to perform the vulnerability scan against the agents. If you want to free this space you need to disable the Vulnerability Detector module in the manager's configuration and delete that database. However, this will make it impossible to scan the packages installed on the agents for vulnerabilities.

As I told you before, 2.5GB is a normal size of a Wazuh manager installation. I suggest you try to increase the size of that disk where Wazuh is installed.

I hope this helps!

Best regards,

Chema.

[susui]

Hao usma and  chema   I'm quite interested in this. I want to ask whether wazuh can delete unused logs automatically? to wazuh agent and wazuh manager? considering that maybe the server agent has a lot of logs and interferes with other processes

[Chema Martinez]

Hi Susui,

Wazuh is not able to delete rotated alerts automatically. Unfortunately, these files should be removed manually right now.

However, the rotated internal logs (ossec.log) are removed periodically, by default, logs are not kept for more than 30 days and you can modify this with the setting monitor.keep_log_days (https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#monitord).

Regards,

Chema.

[susui]

I just found this thanks for the information. I want to ask what are the steps to delete log files on wazuh agent? and wazuh manager?

[Chema Martinez]

You are welcome Susui!

Regarding the last question, the rotated files are not used by Wazuh anymore, they are only stored in case the user needs to keep a history of the alerts and logs from previous days.

If you want to remove these files you can just do it manually or create a script that removes them periodically.