having /var/ossec on separate partition other than root
129 views
Skip to first unread message
wazuh
Jan 31, 2025, 4:30:04 AM1/31/25
to Wazuh | Mailing List
Hi, I'd like to have wazuh manager on a different partition other than the root disk. I've had /var/lib/wazuh-indexer mounted on another partition, however i needed to also to change configuration so it points to the new location.
I was wondering with wazuh-manager what configuration if any would need to be updated if i were to mount /var/ossec/* to another directory/partition? The reason is for the ever-growing /var/ossec/queue and /var/ossec/logs file as more agents are added.
I was wondering with wazuh-manager what configuration if any would need to be updated if i were to mount /var/ossec/* to another directory/partition? The reason is for the ever-growing /var/ossec/queue and /var/ossec/logs file as more agents are added.
Stuti Gupta
Jan 31, 2025, 6:19:45 AM1/31/25
to Wazuh | Mailing List
Hi Team!
Changing the default paths is not recommended. To solve the storage issue you can refer to the following solutions:
By default, the Wazuh server retains logs and does not delete them automatically. However, you can choose when to manually or automatically delete these logs according to your legal and regulatory requirements. To apply a deletion of alerts and archives older than 7 days, run crontab -e (as root) then paste the next piece of text:
0 0 * * mon find /var/ossec/logs/alerts/alerts.json -type f -mtime +7 -exec rm -f {} ;
0 0 * * mon find /var/ossec/logs/archives/ -type f -mtime +7 -exec rm -f {} ;
This will execute the tasks every day at 00:01 am for Crontab to delete files in alerts/archives older than 7 days. Bear in mind that archive files could be really big.
You can also take snapshots of the indices that automatically back up your Wazuh indices in local or Cloud-based storage and restore them at any given time. To do so please refer to https://wazuh.com/blog/index-backup-managementhttps://wazuh.com/blog/wazuh-index-management/
In case you have all in one deployment, then please delete indices and apply other solutions as well:
Delete the indices manually
It is necessary to delete old indices if they are of no use. It is necessary to check what the indices stored in the environment, the following API call can help:
GET _cat/indices
Then, it is necessary to delete indices that are not needed or older indices. Bear in mind that this cannot be retrieved unless there are backups of the data either using snapshots or Wazuh alerts backups.
The API call to delete indices is:
DELETE <index_name>
Or CLI command
# curl -k -u admin:admin -XDELETE https://<WAZUH_INDEXER_IP>:9200/wazuh-alerts-4.x-YYYY.MM.DD
You can use wildcards (*) to delete more indices in one query.
Index management policies:
You can create an ILM policy for 90 days or 1 year. You can follow the steps mentioned in this document https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-tuning.html. You can also take snapshots of the indices that automatically back up your Wazuh indices in local or Cloud-based storage and restore them at any given time.
Fine-tune rules:
The Wazuh indexer node should have a minimum of 4GB RAM and 2 CPU cores, but it's recommended to have 16GB RAM and 8 CPU cores, The amount of data depends on the generated alerts per second (APS). If the usage is more then we recommend examining the agent log or syslog to pinpoint the specific events or event types contributing to the high log volume. Analyzing these logs facilitates the detection of anomalies or patterns, use this information to fine-tune Wazuh rules and filters to focus on the most relevant events and reduce false positives. https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Additionally, you can add a manager-worker node, You can upscale your environment by adding a worker node. For that, you can refer to https://documentation.wazuh.com/current/user-manual/upscaling/index.html.
Deleting agents
The /var/ossec/queue/db/ directory contains databases with information for different agents. It can use too much space because there are some dangling agents which are not connected anymore but their databases are left behind.
We recommend removing those old agents if that’s the case. You can do this using the API Console:
On your dashboard, click on the Wazuh drop-down menu, go to Server Management select Dev Tools. Enter the following request and execute:
DELETE /agents?status=disconnected,never_connected&agents_list=all&older_than=30d
This request will delete all the agents that have been disconnected or never connected for more than 30 days and their databases. You can change the age if needed.
Refer to https://documentation.wazuh.com/current/user-manual/agent/agent-management/remove-agents/restful-api-remove.html
Let me know if you need any further assistance!
Changing the default paths is not recommended. To solve the storage issue you can refer to the following solutions:
By default, the Wazuh server retains logs and does not delete them automatically. However, you can choose when to manually or automatically delete these logs according to your legal and regulatory requirements. To apply a deletion of alerts and archives older than 7 days, run crontab -e (as root) then paste the next piece of text:
0 0 * * mon find /var/ossec/logs/alerts/alerts.json -type f -mtime +7 -exec rm -f {} ;
0 0 * * mon find /var/ossec/logs/archives/ -type f -mtime +7 -exec rm -f {} ;
This will execute the tasks every day at 00:01 am for Crontab to delete files in alerts/archives older than 7 days. Bear in mind that archive files could be really big.
You can also take snapshots of the indices that automatically back up your Wazuh indices in local or Cloud-based storage and restore them at any given time. To do so please refer to https://wazuh.com/blog/index-backup-managementhttps://wazuh.com/blog/wazuh-index-management/
In case you have all in one deployment, then please delete indices and apply other solutions as well:
Delete the indices manually
It is necessary to delete old indices if they are of no use. It is necessary to check what the indices stored in the environment, the following API call can help:
GET _cat/indices
Then, it is necessary to delete indices that are not needed or older indices. Bear in mind that this cannot be retrieved unless there are backups of the data either using snapshots or Wazuh alerts backups.
The API call to delete indices is:
DELETE <index_name>
Or CLI command
# curl -k -u admin:admin -XDELETE https://<WAZUH_INDEXER_IP>:9200/wazuh-alerts-4.x-YYYY.MM.DD
You can use wildcards (*) to delete more indices in one query.
Index management policies:
You can create an ILM policy for 90 days or 1 year. You can follow the steps mentioned in this document https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-tuning.html. You can also take snapshots of the indices that automatically back up your Wazuh indices in local or Cloud-based storage and restore them at any given time.
Fine-tune rules:
The Wazuh indexer node should have a minimum of 4GB RAM and 2 CPU cores, but it's recommended to have 16GB RAM and 8 CPU cores, The amount of data depends on the generated alerts per second (APS). If the usage is more then we recommend examining the agent log or syslog to pinpoint the specific events or event types contributing to the high log volume. Analyzing these logs facilitates the detection of anomalies or patterns, use this information to fine-tune Wazuh rules and filters to focus on the most relevant events and reduce false positives. https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Additionally, you can add a manager-worker node, You can upscale your environment by adding a worker node. For that, you can refer to https://documentation.wazuh.com/current/user-manual/upscaling/index.html.
Deleting agents
The /var/ossec/queue/db/ directory contains databases with information for different agents. It can use too much space because there are some dangling agents which are not connected anymore but their databases are left behind.
We recommend removing those old agents if that’s the case. You can do this using the API Console:
On your dashboard, click on the Wazuh drop-down menu, go to Server Management select Dev Tools. Enter the following request and execute:
DELETE /agents?status=disconnected,never_connected&agents_list=all&older_than=30d
This request will delete all the agents that have been disconnected or never connected for more than 30 days and their databases. You can change the age if needed.
Refer to https://documentation.wazuh.com/current/user-manual/agent/agent-management/remove-agents/restful-api-remove.html
Let me know if you need any further assistance!
wazuh
Jan 31, 2025, 7:43:14 AM1/31/25
to Wazuh | Mailing List
Thank you for the cron jobs, but i dont want to change the name of /var/ossec i just want to change the partition so it's easier to scale the disk size without affecting the root disk. Would having /var/ossec not in root disk have any implications?
Stuti Gupta
Feb 7, 2025, 6:49:01 AM2/7/25
to Wazuh | Mailing List
This is not easy and not recommended you can either increase the root disk size or add another working manager node as suggested before
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/adding-new-server-nodes/index.html
Let me know if you need any further assistance!
Let me know if you need any further assistance!
Reply all
Reply to author
Forward
0 new messages