How to reduce wazuh-archives index size

112 views
Skip to first unread message

Shady Mohamed

unread,
Jan 26, 2026, 3:08:48 AMJan 26
to Wazuh | Mailing List

Hi everyone,

I’m running Wazuh (4.x) and I’m seeing extensive daily indices for wazuh-archives-4.x-YYYY.MM.DD — around ~10 GB per day.
My setup mainly ingests logs from a Firewall (no endpoints/agents yet).

I’d like to reduce the archives index growth and storage usage.

  What are the best practices to reduce wazuh-archives size?  

  Any guidance or examples would be appreciated. Thanks!  



c57ee738-7256-4a21-a4b7-7ef92f47b299.png

Othniel Ebolum

unread,
Jan 26, 2026, 4:09:34 AMJan 26
to Wazuh | Mailing List
Hi Shady,

For your case, the focus should be on filtering input, managing retention, and optimizing storage without losing critical data.

Best practices would be:

1. Disable archiving if not essential. 

If you don't need full raw log archiving (e.g., for compliance or deep forensics), turn it off entirely, this can eliminate the archives indices and drastically cut storage use.

  • Edit /var/ossec/etc/ossec.conf on the Wazuh server:

<logall>no</logall>
<logall_json>no</logall_json>

You can go through this guide for more information

Restart the manager service after changes to implement

2. Filter incoming logs to reduce volume 
Firewall logs often include verbose allowed/denied traffic that can bombard the archives. You can decide to filter based on your environment preferences what is being sent to Wazuh for indexing.

3. Implement Index lifecycle management for retention.
We have Wazuh index state management (ISM), which automatically rolls over and deletes old archive indices based on age, size, or doc count. This is ideal for shortening retention from defaults (e.g., 90+ days) to something like 7-30 days. A summary of the steps
  • Access ISM via the Wazuh dashboard: Stack Management > Index Management > Policies.
  • Create a policy for wazuh-archives-*
  • Apply the policy to existing indices: Select indices in Index Management > Indices, then Actions > Apply policy.
  • For multi-node setups, add a hot-warm policy to move older indices to lower-cost storage with fewer replicas (e.g., transition at 30d, set replicas to 0 on warm nodes).
  • This can reclaim space quickly—e.g., deleting indices older than 7 days could cut your daily 10 GB footprint significantly over time.

    Kindly go through our documentation about Index lifecycle management for a more detailed guide
4. Enable log rotation, compression, and manual cleanup
Tho Wazuh already compresses logs automatically, but ensure it's active and clean up old ones.

  • In /var/ossec/etc/ossec.conf, confirm rotation settings (defaults handle daily compression into .gz files).

  • Set up a cron job for periodic cleanup (e.g., delete archives older than 7 days)

There are quite a few best practices that could help. Monitor storage usage properly, your firewall logs and see which of these best to apply.
Reply all
Reply to author
Forward
0 new messages