Store logs on managers
35 views
Skip to first unread message
Emar Flix
Apr 1, 2026, 7:42:41 AM (6 days ago) Apr 1
to Wazuh | Mailing List
Hi everyone,
My Wazuh managers and indexers are running on separate instances, and I store all logs on the indexer nodes. However, I’ve noticed that some alerts and archive logs are also being stored on the manager nodes (see photo).
I don’t want to keep these logs on the managers, as they consume significant storage. I only want to retain the most recent logs on the manager nodes. The bulk of the logs should be stored on the indexers, where sufficient storage is available.
How can I solve this problem?
Thanks.
How can I solve
rodrigo....@wazuh.com
Apr 1, 2026, 8:06:56 AM (6 days ago) Apr 1
to Wazuh | Mailing List
Hello!
What you are showing are the archive logs which are meant to be used more as an investigation tool when you need to see everything that the manager is receiving from the agents.
If you don't see any use in that, you could simply disable them as so:
"
<ossec_config>
<global>
<logall>no</logall>
<logall_json>no</logall_json>
</global>
</ossec_config>
"
These logs are generated on the manager.
If you would like to keep these archive logs, we can create an automatic cron job that moves them periodically to your indexer server, would you be interested in that?
What you are showing are the archive logs which are meant to be used more as an investigation tool when you need to see everything that the manager is receiving from the agents.
If you don't see any use in that, you could simply disable them as so:
"
<ossec_config>
<global>
<logall>no</logall>
<logall_json>no</logall_json>
</global>
</ossec_config>
"
These logs are generated on the manager.
If you would like to keep these archive logs, we can create an automatic cron job that moves them periodically to your indexer server, would you be interested in that?
Emar Flix
Apr 1, 2026, 10:15:09 AM (5 days ago) Apr 1
to Wazuh | Mailing List
Thank you for your answer, Rodrigo
Yes, please. I want all alerts and archive logs to be stored on the Wazuh indexer servers. Since the Wazuh managers have limited storage capacity, they should only retain logs for the current day. Long-term log storage is not required on the managers, as all logs will be centralized and maintained on the indexer nodes. I don't need /var/ossec/logs/alerts or archives/2026/Mar, Apr, Fev so on.
Yes, please. I want all alerts and archive logs to be stored on the Wazuh indexer servers. Since the Wazuh managers have limited storage capacity, they should only retain logs for the current day. Long-term log storage is not required on the managers, as all logs will be centralized and maintained on the indexer nodes. I don't need /var/ossec/logs/alerts or archives/2026/Mar, Apr, Fev so on.
rodrigo....@wazuh.com yazdı, 1 aprel 2026, çərşənbə, 16:06:56 UTC+4:
rodrigo....@wazuh.com
Apr 1, 2026, 11:06:03 AM (5 days ago) Apr 1
to Wazuh | Mailing List
If you don't need the archive logs, you can just disable them as I mentioned above and they will not be generated.
If you wish to transfer certain logs from the manager server to the indexer server, you could create a crontab that periodically moves them.
Here is an example that moves every day at 0:00:
"0 0 * * * rsync -az --remove-source-files /var/ossec/logs/archives/ <user>@<indexer-ip>:/mnt/wazuh-archives/"
Just make sure to install rsync for the above crontab to work.
Since you mentioned that they should only retain logs for the current day, you could also set the <rotate_interval> setting in the ossec.conf file accordint to the documentation: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#rotate-interval.
So in your case you might want to configure it like this:
"<rotate_interval>1d</rotate_interval>"
If you wish to transfer certain logs from the manager server to the indexer server, you could create a crontab that periodically moves them.
Here is an example that moves every day at 0:00:
"0 0 * * * rsync -az --remove-source-files /var/ossec/logs/archives/ <user>@<indexer-ip>:/mnt/wazuh-archives/"
Just make sure to install rsync for the above crontab to work.
Since you mentioned that they should only retain logs for the current day, you could also set the <rotate_interval> setting in the ossec.conf file accordint to the documentation: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#rotate-interval.
So in your case you might want to configure it like this:
"<rotate_interval>1d</rotate_interval>"
Reply all
Reply to author
Forward
0 new messages