Wazuh Manager, Index and Worker Data Persistence

[kanaka raju]

Hello Team,

I have wazuh deployed on Kubernetes Cluster on AWS EKS. And it has the below components deployed with persistence storage enabled.

1. wazuh-manager-master
2. Wazuh Indexer
3. Wazuh Worker.

Post one week of deployment we found out that the PV Attached to these pods are getting 100% filled. So, is there a mechanism to delete certain files in clean up the storage.

Are there certain files which be moved to S3 or be deleted in the above deployments ???

Thanks and Regards.

[elw...@wazuh.com]

Hello Kanaka,

You can define an ILM policy that would delete the indices after an X number of days as explained here https://wazuh.com/blog/wazuh-index-management/ (Wazuh indexer/dashboard) moreover you can define a cron job that would delete the alerts files (Wazuh manager) as an example 45 0 * * * find /var/ossec/logs/alerts/ -name "*.gz" -type f -mtime +90 -exec rm -f {} \; (Make sure to change the path to match where they are located in your case).

I hope this helps.

Regards,
Wali

[kanaka raju]

Hello Ewali, 

Thanks for the reply, also what about the volume mount added in the wazuh worker pods are there something which we take a backup of?

[kanaka raju]

Also, in addition to this these are the files present in the indexer pods, can these be deleted??

[kanaka raju]

Hello, Any Update on this issue??

[elw...@wazuh.com]

Hello Kanaka,

The mentioned files present in the indexer can not be deleted manually and you should use the Wazuh indexer API to perform the deletion of the indices from the Wazuh Dashboard:



The above will delete all indices of August 2022.

Regarding the files to backup from Wazuh manager(master or worker) are mentioned here https://documentation.wazuh.com/current/user-manual/files-backup/creating/wazuh-central-components.html#backing-up-the-wazuh-server.

I hope it helps.

Regards,
Wali