Wazuh storage volume mounts

[Steven Paugh]

Hello Team,

We are re-building our wazuh cluster and were wondering if someone could help us with the following:

We want to use static disk sizing for the Wazuh host OS, but have all of wazuh's log, config, etc storage built on a mounted drive that can grow as needed with our current retention requirements. 

We are looking for a list across the wazuh dashboard, indexer, and worker/master nodes for the directories that need mounted with the scalable drive.

I believe them to be: 

manager master - /var/ossec
manager worker - /var/ossec
indexer - /etc/wazuh-indexer
dashboard - possibly n/a

Thank you for the help!

[Natalia Castillo]

Hi Steven!

Thank you for your patience and interest in wazuh.

Once you have installed all the wazuh components, you can easily move all logs, alerts, configuration to a mounted disk as you wish. Here are some guides where you can change the location of these logs/files so that everything works correctly.

• Modify wazuh log storage path
• Sending logs files to other partition and being able to see the logs
  

And you are right. The directories are the listed below:

• manager master/workers --> /var/ossec
• indexer --> /etc/wazuh-indexer
  
• dashboard --> /etc/wazuh-dashboard

Here's also the installation guide and the documentation in case you need anything else: https://documentation.wazuh.com/current/installation-guide/index.html

Hope this helps!
If you have any further question, don't hesitate to ask.

Regards.

[Natalia Castillo]

Hi again!

I would like to add to indexer, the path where the indexes are stored (path.logs). This is very important to take into account, as well as the path.data because it can grow a lot depending on the retention period you need or how much you index.

You can find this paths in:

• path.data: /var/lib/wazuh-indexer
• path.logs: /var/log/wazuh-indexer

and the paths are defined here:/etc/wazuh-indexer/opensearch.yml  

Regards.

[Steven Paugh]

Thank you Natalia!

With the indexer data, is it possible to transfer old log data from one wazuh cluster to another? Assuming it is as long as the indexes are named the same thing, but unsure.

Thank you for all the help here!

Steven Paugh

Security Engineer, CISSP

PlexTrac, Inc.

Phone: (208) 274-5322

www.plextrac.com

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/QNPekh_eNRY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a3f90bc6-50bd-40db-9428-2fdbd1494034n%40googlegroups.com.

[Natalia Castillo]

Hi Steven!

Yes, it is possible to transfer old data from the indexer, but the procedure will depend on the version and architecture of the environment. Here's a guide that might be helpful: https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/

if you have the backups of the alerts in the Wazuh manager, reinject them as shown in the guide. 

If there's anything else I can help you with, don't hesitate to ask.

[Steven Paugh]

Hi Natalia,

Sorry to revive this from the dead! Which location for indexers will store the actual log data? Is it:

• path.data: /var/lib/wazuh-indexer
• path.logs: /var/log/wazuh-indexer Or somewhere in /etc/wazuh-indexer ?
  

Thank you,

-Steven