Index location and log path change
1,664 views
Skip to first unread message
Smriti Kaushal
Nov 9, 2022, 1:00:39 AM11/9/22
to Wazuh mailing list
Hi
Is there any way to change the log file location and index location in wazuh .
Benjamin Nworah
Nov 9, 2022, 2:07:10 AM11/9/22
to Wazuh mailing list
Hello Smritiki,
Thank you for using Wazuh!
I will recommend you take a look at this link.
Please let me know if this answers your question.
Regards,
Thank you for using Wazuh!
I will recommend you take a look at this link.
Please let me know if this answers your question.
Regards,
Smriti Kaushal
Nov 9, 2022, 4:39:37 AM11/9/22
to Wazuh mailing list
hi
thank you for the information.
I understand that we can move the logs from one place to other.
Is it possible to move the entire index to some other location?
Benjamin Nworah
Nov 9, 2022, 6:36:39 AM11/9/22
to Wazuh mailing list
Hello Smiritika,
Please give me some time to revert back.
Regards,
Please give me some time to revert back.
Regards,
Smriti Kaushal
Nov 9, 2022, 6:44:38 AM11/9/22
to Wazuh mailing list
sure, Thanks
Benjamin Nworah
Nov 9, 2022, 6:49:47 AM11/9/22
to Wazuh mailing list
Hello smiritika,
Please what is your environment model?
- Do you have All-in-one or distributed?
- Are your running Wazuh indexer, or elastic search?
Regards,
Please what is your environment model?
- Do you have All-in-one or distributed?
- Are your running Wazuh indexer, or elastic search?
Regards,
Smriti Kaushal
Nov 9, 2022, 7:22:57 AM11/9/22
to Wazuh mailing list
I am using wazuh indexer
Benjamin Nworah
Nov 9, 2022, 7:33:18 AM11/9/22
to Wazuh mailing list
Hello Smirika,
Thank you for your swift response.
To change the index in wazuh-indexer, kindly follow the below steps:
# mv /var/log/wazuh-indexer/ /<new folder_log>/
# chown wazuh-indexer:wazuh-indexer -R /<new_folder_lib>/
# chown wazuh-indexer:wazuh-indexer -R /<new folder_log>/
5. edit /etc/wazuh-indexer/opensearch.yml
#systemctl start wazuh-indexer
Please let me know if this helps.
Regards,
Thank you for your swift response.
To change the index in wazuh-indexer, kindly follow the below steps:
- Stop indexing and perform flush: curl -X POST "https://<indexer_IP>:9200/_flush/synced" -u <username>:<password> -k
- Stop filebeat systemctl stop filebeat
- Stop wazuh-indexer: systemctl stop wazuh-indexer
- Move or copy your data to the new directories and change ownership.
# mv /var/log/wazuh-indexer/ /<new folder_log>/
# chown wazuh-indexer:wazuh-indexer -R /<new_folder_lib>/
# chown wazuh-indexer:wazuh-indexer -R /<new folder_log>/
5. edit /etc/wazuh-indexer/opensearch.yml
6. Change path.data and path.logs to the new partitions
7. Restart the services
#systemctl daemon-reload
#systemctl enable wazuh-indexer#systemctl daemon-reload
#systemctl start wazuh-indexer
#systemctl restart filebeat
Please let me know if this helps.
Regards,
Smriti Kaushal
Nov 10, 2022, 2:15:52 AM11/10/22
to Wazuh mailing list
thank you for your time and help,
I tried but it didn't work
Benjamin Nworah
Nov 10, 2022, 6:09:34 AM11/10/22
to Wazuh mailing list
Hello smritika,
Did you receive any error message while migrating the index logs.?
I tested it on my All-in-one lab, and it worked.
Please replace these steps:
I included "*"
I tested it on my All-in-one lab, and it worked.
Please replace these steps:
I included "*"
- # mv /var/lib/wazuh-indexer/ /<new_folder_lib>/ with # mv /var/lib/wazuh-indexer/* /<new_folder_lib>/
- # mv /var/log/wazuh-indexer/ /<new folder_log>/ with # mv /var/log/wazuh-indexer/* /<new folder_log>/
Part of what worked for me, try and create the new directories inside the folder /var/log/ and /var/lib, for example.
mkdir /var/lib/<new_folder_lib>
mkdir /var/log/<new_folder_log>
Please let me know if this works. I will be here waiting.
mkdir /var/lib/<new_folder_lib>
mkdir /var/log/<new_folder_log>
Please let me know if this works. I will be here waiting.
Regards,
TheLotus 24
May 11, 2024, 5:48:45 PM5/11/24
to Wazuh | Mailing List
Hello, and to test in a distributed environment?
Reply all
Reply to author
Forward
0 new messages