how to clear space on Elasticsearch.
332 views
Skip to first unread message
Enekupe Lelevaga
Feb 7, 2022, 4:17:45 PM2/7/22
to Wazuh mailing list
John Soliani
Feb 7, 2022, 6:12:54 PM2/7/22
to Wazuh mailing list
Hello,
First, check how much space Elasticsearch DB is using with this:
Thank you for using our community!
First, check how much space Elasticsearch DB is using with this:
# du -sh /var/lib/elasticsearch/
382M /var/lib/elasticsearch/
382M /var/lib/elasticsearch/
Then, check how much elasticsearch logs are using:
# du -sh /var/log/elasticsearch/
60M /var/log/elasticsearch/
To reduce the data used by Elasticsearch DB, you will need to delete data. Data in ELK is stored (normally) in daily indices. Let's see how to check this, first, test your credentials (must have permissions to manage indices, use admin if possible) with:
# du -sh /var/log/elasticsearch/
60M /var/log/elasticsearch/
To reduce the data used by Elasticsearch DB, you will need to delete data. Data in ELK is stored (normally) in daily indices. Let's see how to check this, first, test your credentials (must have permissions to manage indices, use admin if possible) with:
# curl -k -u <USER>:<PASSWORD> -XGET https://<ElasticsearchIP>:9200/
(you should get details of the product, version number, build flavor and type, etc)
(you should get details of the product, version number, build flavor and type, etc)
Check the status of the DB with:
# curl -k -u <USER>:<PASSWORD> -XGET https://localhost:9200/_cluster/health?pretty=true
Check the indices of December 2021 with:
# curl -k -u <USER>:<PASSWORD> -XGET https://<ElasticsearchIP>:9200/_cat/indices/wazuh-*2021.12*?v
You will see details of the indices, including size, health, status, docs, etc. You can check if you have data from previous years with:
# curl -k -u <USER>:<PASSWORD> -XGET https://<ElasticsearchIP>:9200/_cat/indices/wazuh-*2020*?v
# curl -k -u <USER>:<PASSWORD> -XGET https://<ElasticsearchIP>:9200/_cat/indices/wazuh-*201*?v
Once you've found the oldest data, you can delete like this. Let's assume you want to delete all data from year 2019:
# curl -k -u <USER>:<PASSWORD> -XDELETE https://<ElasticsearchIP>:9200/wazuh-*2019*
# curl -k -u <USER>:<PASSWORD> -XDELETE https://<ElasticsearchIP>:9200/monitoring-*2019*
If you want to delete just one month, let's say, July of 2021, you can use this:
# curl -k -u <USER>:<PASSWORD> -XDELETE https://<ElasticsearchIP>:9200/wazuh-*2021.07*
# curl -k -u <USER>:<PASSWORD> -XDELETE https://<ElasticsearchIP>:9200/monitoring-*2021.07*
After cleaning the DB, it is a good practice to automate this using Index Statement Management (ISM in OpenDistro) or Index Lifecycle Management (ILM in ES Stack). Check our blog to see how it's done following this link:
Hope this helps,
John.-
On Monday, February 7, 2022 at 6:17:45 PM UTC-3 enetu...@gmail.com wrote:
Enekupe Lelevaga
Feb 7, 2022, 7:31:01 PM2/7/22
to John Soliani, Wazuh mailing list
Thanks for getting back to me.
Please, what command to check elasticsearch IP add?
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2ab1db86-3235-429a-a9ff-1f65a013192fn%40googlegroups.com.
John Soliani
Feb 8, 2022, 12:27:57 PM2/8/22
to Wazuh mailing list
Hey!
The configurations for elasticsearch servers, can be found in:
- /etc/filebeat/filebeat.yml (filebeat)
- /etc/kibana/kibana.yml (kibana)
- /etc/elasticsearch/elasticsearch.yml (elasticsearch)
- hostname -I (capital i)
- ip a (to check all eth devices)
Hope this helps,
John.-
John.-
Reply all
Reply to author
Forward
0 new messages