How to apply Logs archived but need to hold 15 months data into SIEM.

[Operation Consultant]

How to apply Logs archived but need to hold 15 months data into SIEM.

[Andrew A]

Not with wazuh -- but I'd recommend running a cronjob for the local alerts:

0 1 * * * find /var/ossec/logs/alerts/2022/* -mtime +1 -exec rm -f {} \;

This will delete all your alerts that are older than 1 day. Adjust mtime as needed. 

Then configure a index policy: 

https://wazuh.com/blog/wazuh-index-management/

You could set the min_index_age to your 15 months as needed instead of the 365d as per the example. 

[Andrew A]

A good way I've seen to long term archive logs is to use S3 Glacier. Deep Archive is super inexpensive. 

[Operation Consultant]

if we upload logs into   S3 then how we view from tools without Download the logs. 

[Andrew A]

You dont. Until you want to. S3 glacier isn't for quick viewing. It's for cheap long term storage. 

Just set the index management to delete indexes after 15 months as per above. Make sure you have enough storage though. docs call for 200 GB's of storage for around 100 endpoints for 90 days. If you have 100 endpoints you're going to want about 1.2 TB's of storage

[Andrew A]

Most folks don't need to view events from 15 months ago though unless something happens where they have to do a deep dive. Then you would just restore the data from S3. 

Just depends on how much money you have to spend