How to move the log storage location on the wazuh manager server?
1,602 views
Skip to first unread message
Juan Ferdinan
Apr 11, 2023, 8:27:18 AM4/11/23
to Wazuh mailing list
Hi Wazuh Teams
Can I move the log storage on the wazuh manager server to Google Cloud Storage? I am planning to move the existing log storage in /var/ossec/logs/alerts/, /var/ossec/logs/archives/, /var/lib/wazuh-indexer/nodes/0/indices/ to Google Cloud Storage
Thanks & Regards
Juan
Delfina Lizarralde Bressan
Apr 11, 2023, 9:57:20 AM4/11/23
to Wazuh mailing list
Hi juan!
Thanks for using wazuh.
Yes, it is possible to store all the Wazuh logs in an external location.
In the indexer, you can create snapshots and store them in an external repository, and then remove the indices from the indexer.
Regards.
Thanks for using wazuh.
Yes, it is possible to store all the Wazuh logs in an external location.
In the indexer, you can create snapshots and store them in an external repository, and then remove the indices from the indexer.
You can find more information on how to do this here:
Additionally, you can send logs from wazuh to an on-premises server by following these steps:
- Determine the IP address or hostname of the on-premises server that you want to send logs to.
- Configure the on-premises server to receive logs. This typically involves installing a log collection agent or a syslog server, such as rsyslog or syslog-ng, on the server. The exact configuration steps will depend on the log collection tool you choose. Please refer to this documentation.
- Configure the Wazuh server to send logs to the on-premises server. Edit the configuration file for the Wazuh log collector, which is located at /var/ossec/etc/ossec.conf on the Wazuh server. Specifically, you'll need to add a new rule to the log collector configuration that tells it to send logs to the on-premises server. Refer to this documentation.
- After you've modified the configuration file, you'll need to restart wazuh log-collector and Wazuh managerfor the changes to take effect.
- Configure the on-premises server to receive logs. This typically involves installing a log collection agent or a syslog server, such as rsyslog or syslog-ng, on the server. The exact configuration steps will depend on the log collection tool you choose. Please refer to this documentation.
- Configure the Wazuh server to send logs to the on-premises server. Edit the configuration file for the Wazuh log collector, which is located at /var/ossec/etc/ossec.conf on the Wazuh server. Specifically, you'll need to add a new rule to the log collector configuration that tells it to send logs to the on-premises server. Refer to this documentation.
Hope this helps you.
Regards.
Juan Ferdinan
Apr 12, 2023, 12:59:37 AM4/12/23
to Wazuh mailing list
Hi Delfina
In this article https://wazuh.com/blog/index-backup-management/, for example using elasticsearch, what about wazuh? can I just replace the command with ./wazuh-plugin install repository-gcs?
I am currently using wazuh version 4.3.10 and there is no elasticsearch anymore ?CMIIW
Best Regards
Juan Ferdinan
Apr 17, 2023, 3:37:55 AM4/17/23
to Wazuh mailing list
Hi,
Any update about this?
Juan Ferdinan
Apr 25, 2023, 11:37:32 PM4/25/23
to Wazuh mailing list
Hi Wazuh Teams,
can anyone help answer my question?
Best Regrads
Juan
Nico Brambilla
May 11, 2023, 10:42:49 AM5/11/23
to Wazuh mailing list
Hi Juan Ferdinan, as Delfina suggested previously you need to follow the steps of the link she shared with you.
There is my 2 cents :
[root@wazuh-server ~]# /var/ossec/bin/wazuh-control -j info
{"error":0,"data":[{"WAZUH_VERSION":"v4.3.10"},{"WAZUH_REVISION":"40323"},{"WAZUH_TYPE":"server"}]}[root@wazuh-server ~]#
[root@wazuh-server ~]#
[root@wazuh-server ~]# awk -F: '{ print $1}' /etc/passwd | tail -n4
wazuh-user
wazuh-indexer
wazuh
wazuh-dashboard
[root@wazuh-server ~]# ll /usr/share/wazuh-indexer/bin/
total 56
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 5770 Nov 11 13:30 indexer-security-init.sh
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 3002 Jan 14 2022 opensearch
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 1082 Jan 14 2022 opensearch-cli
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 4841 Nov 11 13:18 opensearch-env
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 1831 Jan 14 2022 opensearch-env-from-file
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 194 Jan 14 2022 opensearch-keystore
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 128 Jan 14 2022 opensearch-node
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 182 Jan 14 2022 opensearch-plugin
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 120 Jan 14 2022 opensearch-shard
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 184 Jan 14 2022 opensearch-upgrade
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 588 Jan 14 2022 performance-analyzer-agent-cli
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 583 Nov 11 13:18 systemd-entrypoint
[root@wazuh-server ~]# cd /usr/share/wazuh-indexer/bin/
[root@wazuh-server bin]# ./opensearch-plugin install repository-gcs
There is my 2 cents :
[root@wazuh-server ~]# /var/ossec/bin/wazuh-control -j info
{"error":0,"data":[{"WAZUH_VERSION":"v4.3.10"},{"WAZUH_REVISION":"40323"},{"WAZUH_TYPE":"server"}]}[root@wazuh-server ~]#
[root@wazuh-server ~]#
[root@wazuh-server ~]# awk -F: '{ print $1}' /etc/passwd | tail -n4
wazuh-user
wazuh-indexer
wazuh
wazuh-dashboard
[root@wazuh-server ~]# ll /usr/share/wazuh-indexer/bin/
total 56
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 5770 Nov 11 13:30 indexer-security-init.sh
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 3002 Jan 14 2022 opensearch
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 1082 Jan 14 2022 opensearch-cli
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 4841 Nov 11 13:18 opensearch-env
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 1831 Jan 14 2022 opensearch-env-from-file
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 194 Jan 14 2022 opensearch-keystore
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 128 Jan 14 2022 opensearch-node
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 182 Jan 14 2022 opensearch-plugin
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 120 Jan 14 2022 opensearch-shard
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 184 Jan 14 2022 opensearch-upgrade
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 588 Jan 14 2022 performance-analyzer-agent-cli
-rwxr-x---. 1 wazuh-indexer wazuh-indexer 583 Nov 11 13:18 systemd-entrypoint
[root@wazuh-server ~]# cd /usr/share/wazuh-indexer/bin/
[root@wazuh-server bin]# ./opensearch-plugin install repository-gcs
Please take a look , of the bolded lines. ;-)
I will be looking to hearing from you..
I will be looking to hearing from you..
Best regards
Nico B.
Reply all
Reply to author
Forward
0 new messages