Need Help in Retention Period
259 views
Skip to first unread message
Abdul Samad
Aug 11, 2022, 9:04:33 AM8/11/22
to Wazuh mailing list
Hi, I have wazuh version 4.2,
I have to configure retention Period for logs to 90 days
Then i want all the logs to archieve after 90 days, and send to another location/storage.
Dont need how to achieve it, so need very basic guide,
Thanks
Looking forward for your urgent response.
Alexander Bohorquez
Aug 11, 2022, 9:47:19 AM8/11/22
to Wazuh mailing list
Hello,
Thank you for using Wazuh!
When you mention logs, do you mean the alerts in Elasticsearch Indices or the alerts in your Wazuh manager?
I'll explain a little about how it works:
The alerts are stored in two locations, in your Wazuh manager in the directory /var/ossec/logs/alerts by Day/Month/Year. These alerts are not automatically rotated and in case of a problem with Elasticsearch they could be re-indexed. This is what we call "Cold storage alerts".
On the other hand, we have the alerts already indexed to Elasticsearch. These alerts are located in Indices/shards and take up space on your Elasticsearch server. These are the alerts you see in your Kibana or Wazuh UI. We call this "Hot Storage".
Thank you for using Wazuh!
When you mention logs, do you mean the alerts in Elasticsearch Indices or the alerts in your Wazuh manager?
I'll explain a little about how it works:
The alerts are stored in two locations, in your Wazuh manager in the directory /var/ossec/logs/alerts by Day/Month/Year. These alerts are not automatically rotated and in case of a problem with Elasticsearch they could be re-indexed. This is what we call "Cold storage alerts".
On the other hand, we have the alerts already indexed to Elasticsearch. These alerts are located in Indices/shards and take up space on your Elasticsearch server. These are the alerts you see in your Kibana or Wazuh UI. We call this "Hot Storage".
These alerts/indexes can be configured to be deleted every certain period of time with retention policies:
https://wazuh.com/blog/wazuh-index-management/
On the other hand, if you want to move data to other location, you can also use snapshots. I leave you a guide that explains the operation and configuration:
https://wazuh.com/blog/index-backup-management/
I hope this information helps. Please let me know if you have any other questions.
https://wazuh.com/blog/wazuh-index-management/
On the other hand, if you want to move data to other location, you can also use snapshots. I leave you a guide that explains the operation and configuration:
https://wazuh.com/blog/index-backup-management/
I hope this information helps. Please let me know if you have any other questions.
Reply all
Reply to author
Forward
0 new messages