Wazuh Server - Sout of space
294 views
Skip to first unread message
Gerardo Luna
Jun 28, 2023, 9:52:48 PM6/28/23
to Wazuh mailing list
According to the example of the Wazuh-Server installation:
"For example, for an environment with 80 workstations, 10 servers, and 10 network devices, the storage needed on the Wazuh server for 90 days of alerts is 6 GB."
The allocated 10GB space was quickly filled with 2 agents (1 windows / 1 linux), how should the WAZUH-SERVER configuration be so that it doesn't run out of space?
Why does the WAZUH-INDEXER have more space than the WAZUH-SERVER? Which of these two components should have more disk space, considering that they are differentiated servers?
Héctor Gómez
Jun 28, 2023, 10:54:51 PM6/28/23
to Wazuh mailing list
For each type of device, a series of different events are generated, approximate are those mentioned in this table:
https://documentation.wazuh.com/current/installation-guide/wazuh-server/index.html#hardware-requirements
However, this changes a lot in practice depending on the server, for these cases Windows servers are very noisy and generate too many events, probably that is the cause of the problem.
The disk space for the wazuh server is variable, since events after they are indexed are removed from the wazuh server. For an environment like this, I can recommend going up to a minimum of 40Gb on the wazuh servers.
Regarding the difference in disk space between the WAZUH-SERVER and WAZUH-INDEXER, it is common for the WAZUH-INDEXER to have more space. The WAZUH-INDEXER is responsible for storing and indexing the logs received from multiple Wazuh agents, while the WAZUH-SERVER primarily handles real-time alerting and management. The WAZUH-INDEXER needs more disk space to accommodate the larger volume of logs it processes and indexes. However, the specific disk space requirements may vary depending on the scale and usage of your environment. It is recommended to monitor the disk usage of both components and adjust the storage capacity accordingly to ensure optimal performance and data retention.
https://documentation.wazuh.com/current/installation-guide/wazuh-server/index.html#hardware-requirements
However, this changes a lot in practice depending on the server, for these cases Windows servers are very noisy and generate too many events, probably that is the cause of the problem.
The disk space for the wazuh server is variable, since events after they are indexed are removed from the wazuh server. For an environment like this, I can recommend going up to a minimum of 40Gb on the wazuh servers.
Regarding the difference in disk space between the WAZUH-SERVER and WAZUH-INDEXER, it is common for the WAZUH-INDEXER to have more space. The WAZUH-INDEXER is responsible for storing and indexing the logs received from multiple Wazuh agents, while the WAZUH-SERVER primarily handles real-time alerting and management. The WAZUH-INDEXER needs more disk space to accommodate the larger volume of logs it processes and indexes. However, the specific disk space requirements may vary depending on the scale and usage of your environment. It is recommended to monitor the disk usage of both components and adjust the storage capacity accordingly to ensure optimal performance and data retention.
Gerardo Luna
Jun 29, 2023, 10:05:35 AM6/29/23
to Wazuh mailing list
Dear Hector,
Dear Hector,
Thanks for the timely feedback.
For the installation I followed the recommendations of the WAZUH portal for a Cluster type installation.
My servers have the following disk space capacity.
WAZUH-SERVER:
/dev/mapper/rhel-root 20G 14G 5.4G 73% /
WAZUH-INDEXER
/dev/mapper/roog_vg-root 108G 5.1G 103G 5% /
WAZUH-DASHBOARD
/dev/mapper/vg_root-root 11G 3.2G 7.7G 29% /
On the point that you indicate that WAZUH-INDEXER is responsible for storing the records of various WAZUH-AGENTS, according to the image all WAZUH-AGENTS send data to WAZUH-SERVER.
The question is: when or where is the sending of information from WAZUH-SERVER to WAZUH-INDEXER parameterized? How often does this shipment occur?
Dear Hector,
Thanks for the timely feedback.
For the installation I followed the recommendations of the WAZUH portal for a Cluster type installation.
My servers have the following disk space capacity.
WAZUH-SERVER:
/dev/mapper/rhel-root 20G 14G 5.4G 73% /
WAZUH-INDEXER
/dev/mapper/roog_vg-root 108G 5.1G 103G 5% /
WAZUH-DASHBOARD
/dev/mapper/vg_root-root 11G 3.2G 7.7G 29% /
On the point that you indicate that WAZUH-INDEXER is responsible for storing the records of various WAZUH-AGENTS, according to the image all WAZUH-AGENTS send data to WAZUH-SERVER.
The question is: when or where is the sending of information from WAZUH-SERVER to WAZUH-INDEXER parameterized? How often does this shipment occur?
I would like to ask more questions if you agree.
Gerardo Luna
Jun 29, 2023, 2:10:53 PM6/29/23
to Wazuh mailing list
Additionally, I am sending a screenshot that shows the disk consumption of only two WAZUH-AGENTs (1 linux, 1 windows) time: 2 hours. How can I optimally configure the WAZUH-AGENT?
Héctor Gómez
Jun 29, 2023, 8:49:24 PM6/29/23
to Wazuh mailing list
Regards @gerardo. Indeed, the wazuh-server is in charge of receiving the information from the agents and retains it, to later transfer it to the wazuh-indexer, which is where it is stored.
This storage in wazuh-indexer can be managed by the life cycle of the indexers.
Each event collected by the Wazuh agent is transmitted to the Wazuh administrator. The administrator will assign the event a severity level based on the rules that match the rule set. By default, it will only log alerts with a severity level of 3 or higher.
https://documentation.wazuh.com/current/user-manual/manager/alert-threshold.html
Wazuh-generated alerts are sent to a daily Elasticsearch index called wazuh-alerts-4.x-x-YYYY.MM.DD using the default settings.
You can see more information in the documentation:
https://wazuh.com/blog/wazuh-index-management/
This storage in wazuh-indexer can be managed by the life cycle of the indexers.
Each event collected by the Wazuh agent is transmitted to the Wazuh administrator. The administrator will assign the event a severity level based on the rules that match the rule set. By default, it will only log alerts with a severity level of 3 or higher.
https://documentation.wazuh.com/current/user-manual/manager/alert-threshold.html
Wazuh-generated alerts are sent to a daily Elasticsearch index called wazuh-alerts-4.x-x-YYYY.MM.DD using the default settings.
You can see more information in the documentation:
https://wazuh.com/blog/wazuh-index-management/
Gerardo Luna
Jul 1, 2023, 6:04:48 AM7/1/23
to Wazuh mailing list
Dear Hector, greetings.
Change the alerts from 3 -> 5, I no longer have saturation in the WAZUH-SERVER space.
Change the alerts from 3 -> 5, I no longer have saturation in the WAZUH-SERVER space.
Where can you find more information about alert levels and each level that alerts cover, because I plan to integrate Telegram to alerts, for example, for critical file modifications.
I was reviewing the section "Rules (852) From here you can manage your rules" is this where the alert levels are defined?
Also change the creation of indexes daily, does it have any impact on the disk consumption of WAZUH-SERVER?
Thanks for sharing the knowledge.
WAZUH rules!
Also change the creation of indexes daily, does it have any impact on the disk consumption of WAZUH-SERVER?
Thanks for sharing the knowledge.
WAZUH rules!
Héctor Gómez
Jul 10, 2023, 10:00:54 AM7/10/23
to Wazuh mailing list
Hello, @gerardo
In the Rules classification section
You can get all the information from the levels of the rules and what is filtered in each one of them.
Regarding the rotation of the elastic indices, it is good that it be daily, it is the recommended value.
In the Rules classification section
You can get all the information from the levels of the rules and what is filtered in each one of them.
Regarding the rotation of the elastic indices, it is good that it be daily, it is the recommended value.
Reply all
Reply to author
Forward
0 new messages