How information is saved in Wazuh?

72 views
Skip to first unread message

Nemo191 Nm

unread,
Jun 11, 2024, 9:42:44 AM6/11/24
to Wazuh | Mailing List
Tell me please. How is information saved in Wazuh? The server is standalone. Is the raw log saved to disk first? or in indexer? or is the log saved to disk and saved to indexer at the same time? Is it necessary to understand which hard drive to choose, is its speed, 7200 rpm enough?

Federico Damian Lo Iacono

unread,
Jun 11, 2024, 12:56:04 PM6/11/24
to Wazuh | Mailing List
Hi Nemo191,

Wazuh server stores all events coming from endpoints in the files /var/ossec/logs/alerts/alerts.log (flat log storage) and /var/ossec/logs/alerts/alerts.json (JSON document storage). Internally, these files are ingested by Filebeat and sent over to the Wazuh Indexer, where these same alerts are stored as documents in indices. You can find out which directory this data is in by looking at the path.data variable in /etc/wazuh-indexer/opensearch.yml, which defines execution conditions for the indexer.

In a standalone install, like yours, the aforementioned means that the alerts are stored in those three locations. You can also optionally enable archives, which would also store all events (even those which do not trigger alerts) to be stored in /var/ossec/log/archives/archives.json, but be advised that this capability fills up the disk very quickly and is usually used for troubleshooting.

Wazuh Server uses buffers for the endpoint data before storing it in disk, which would mean that disk speed should not be a limitation, but you will surely find it beneficial to count on faster disk writes and reads when querying alerts.

Hope this helps.

Nemo191 Nm

unread,
Jun 12, 2024, 8:41:31 AM6/12/24
to Wazuh | Mailing List
Is the wazuh-indexer data base?


Tell me, where does the dashboard get the information it displays? From wazuh-indexer?

вторник, 11 июня 2024 г. в 19:56:04 UTC+3, Federico Damian Lo Iacono:

Nemo191 Nm

unread,
Jun 12, 2024, 10:50:04 AM6/12/24
to Wazuh | Mailing List
 
To write information to files on the server /var/ossec/logs/alerts/alerts.log (file log storage) and /var/ossec/logs/alerts/alert.does json require buffering? If so, how is it configured on the server?
среда, 12 июня 2024 г. в 15:41:31 UTC+3, Nemo191 Nm:
Message has been deleted

Federico Damian Lo Iacono

unread,
Jun 13, 2024, 6:56:13 PM6/13/24
to Wazuh | Mailing List
Wazuh Indexer is a search and analytics software. In contrast to databases, it saves the information as documents in indices, which can be split up into shards for look-up optimization and speed-up, and do not follow the record structure of conventional databases. Think of Google's search engine, which performs a similar task internally.

Wazuh Dashboard, as you pointed out, gets the information from these indices in Wazuh Indexer. By querying Wazuh Indexer for various conditions, you can filter the information you need to be displayed in the dashboards.

Finally, Wazuh Server's buffer is already implemented into the software, there is no extra setup needed.

Hope this helps!

Nemo191 Nm

unread,
Jun 17, 2024, 2:40:49 AM6/17/24
to Wazuh | Mailing List
Thank you!

пятница, 14 июня 2024 г. в 01:56:13 UTC+3, Federico Damian Lo Iacono:
Reply all
Reply to author
Forward
0 new messages