Log retention in wazuh

[Rabail Naseer]

Hi wazuh team,

I have configured the internal_options.conf file and update the log retention days from 31 days to 1 day and remove all old files that stored in logs/alerts/2021/Apr directory.

I am checking that if i update the log retention days than how many old logs will be saved.

but when i update monitord.keep_log_days=1 it still store old files, not storing only one day logs

below are the screen short for better understanding

And by default in logs/alerts/2021 how old logs will be stored ?

[Yana Zaeva]

Hi,

It seems that this option is for the internal logs, meaning ossec.log file, not the alerts.log or alerts.json ones. You can find it in /var/ossec/logs/ossec.log. This file contains log messages about the Wazuh manager status and its modules. This file, when being rotated and compressed is being stored in /var/ossec/logs/ossec/, so check this directory and let me know if you are able to see any files there. You can find more information about this option here. 

If you want to establish a retention policy, you can follow this guide to set up a lifecycle policy. This way, you will automatically delete old indices and maintaining this way the desired retention policy. Also, you can use a Cron Job to remove the compressed alerts.json files, by running a command at a specific time. I will leave here a guide to Cron Jobs. 

Hope I was helpful. Let me know if you have any queries.

Regards,

Yana.

[Rabail Naseer]

Hi yana,

Yes I can see one file named ossec-27.log.gz at  var/ossec/logs/ossec/2021/Apr  directory and all old files are deleted automatically.

By default in logs/alerts/2021 how old alerts file will be stored ?

and according to PCI standard i want to keep 1 year security logs how i can do this?

[Yana Zaeva]

Hello,

By default, the data stored in the /log/alerts/ directory is not going to be deleted, so all the alerts that are being generated will be saved. If you want to keep one year of security logs you can perform these two steps: 

- First of all, set the crontab script to remove logs from /var/ossec/logs/alerts. To apply crontab please run this command: crontab -e. It will open your crontab file where you will be able to add the commands you need. For example, as you need 1 year of security logs, an example of your crontab script would be: 

45 0 * * * find /var/ossec/logs/alerts/ -name "*.gz" -type f -mtime +365 -exec rm -f {} \;

This will delete all the alerts that are older than a year. You can set it to any other date to, for example, this script would retain logs for 90 days: 

45 0 * * * find /var/ossec/logs/alerts/ -name "*.gz" -type f -mtime +90 -exec rm -f {} \;

You can obtain more information about Cron Job here and here. 

- The second step would be applying a year retention policy to the Elasticsearch indices. The PCI standard requires one year of cold storage and three months of hot storage. If you implement this type of policy you will be saving more disk space than applying one year of hot storage. You can check this guide and follow the steps explained there to accomplish either one year of hot storage or three months of hot storage and one year of cold storage. 

Hope I was helpful. Let me know if you face any issues while approaching any of these steps.

Regards,

Yana.