Alerts Logs

36 views
Skip to first unread message

German DiCasas

unread,
Jan 19, 2026, 11:14:06 AM (3 days ago) Jan 19
to Wazuh | Mailing List
Hi team,

I have the wazuh 4.14.1 and notice that the file alerts.json and alerts.log over the path /var/ossec/log/ is duplicated over /var/ossec/log/2026/Dec/day , it is correct? why or how its works at the end of the day? 

I attached a file, same size -h.

Regards

German
sameFile.png

juanjos...@wazuh.com

unread,
Jan 19, 2026, 12:22:52 PM (3 days ago) Jan 19
to Wazuh | Mailing List

Hi German,

This is normal  behavior. Here's what is happening:

Wazuh maintains logs in two locations simultaneously. First, you have the active logs in /var/ossec/logs/alerts/ which include alerts.json and alerts.log, these are the current day's alerts being written in real-time. Second, you have the archived logs organized by year and month in /var/ossec/logs/alerts/YYYY/MMM/ which contain files like ossec-alerts-19.json and ossec-alerts-19.log. and the reason they appear to have the same size is because during the current day, Wazuh writes alerts to both locations simultaneously. 

Please tell me if you have more questions!

-Juan

German DiCasas

unread,
Jan 20, 2026, 7:44:07 AM (2 days ago) Jan 20
to Wazuh | Mailing List
thanks, so it is normal. In the case that I want to install a wazuh over other machine, What I need to copy from the old one to recreate the index on the new indexer? I meen the history of all alerts on new vm.

Regads,

German

juanjos...@wazuh.com

unread,
Jan 20, 2026, 9:27:31 AM (2 days ago) Jan 20
to Wazuh | Mailing List

Hi German,

To migrate your Wazuh alert history to a new indexer on a different machine, you'll need to copy the archived alert logs and then reindex them. 

Files to copy from the old machine:

Copy the entire alerts directory structure from /var/ossec/logs/alerts/  (the ones in  your old Wazuh).

*This includes all the dated subdirectories (like /var/ossec/logs/alerts/2026/Jan/, /var/ossec/logs/alerts/2025/Dec/, etc.) 

and here comes some steps:

  1. Put the archived alerts to your new Wazuh  in the same location (/var/ossec/logs/alerts/)
  2. Use the Wazuh indexer tools to reindex the historical data. You can use Filebeat to read these archived alerts.json files and send them to your new indexer, or use the wazuh-indexer's reindex API.
  3. You may need to configure Filebeat temporarily to read from the archived directories instead of just the active logs, or write a script to feed the historical JSON alerts into the indexer.

German DiCasas

unread,
Jan 21, 2026, 7:59:19 AM (yesterday) Jan 21
to Wazuh | Mailing List
Juanjose,

Can you explain me the step 2 and 3 more?. I mean how I can do tahs steps. Or some guide related to that? Thanks for the reply

Regards

German

juanjos...@wazuh.com

unread,
Jan 21, 2026, 11:32:52 AM (22 hours ago) Jan 21
to Wazuh | Mailing List
Hi German

You can follow 

https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/

the same technical process works perfectly for your migration scenario. 

Let me know if that help!


Best regards
-Juan


Reply all
Reply to author
Forward
0 new messages