Sending log files to NAS
425 views
Skip to first unread message
Matt Colucci
Feb 14, 2022, 9:26:35 AM2/14/22
to Wazuh mailing list
Hello all! Does anyone know how I would go about offloading all Wazuh/Elasticsearch logs to an external NAS? I'm in need of disk space on my server and have a QNAP NAS device that is not being used for anything. Is it as simple as changing the ossec.conf file to point to my NAS IP address?
Damian Nicastro
Feb 14, 2022, 12:24:15 PM2/14/22
to Wazuh mailing list
Hi @mcol:
This will run at 00 hs every day to move all "alerts" and "archives" logs older than 90 days to your NAS.
I hope you are fine.
For moving Wazuh logs, you can simply set up a cronjob like the following for:
# crontab -e
0 0 * * * find /var/ossec/logs/alerts/ -type f -mtime +90 -exec mv -f /path/to/NAS {} \;
0 0 * * * find /var/ossec/logs/alerts/ -type f -mtime +90 -exec mv -f /path/to/NAS {} \;
This will run at 00 hs every day to move all "alerts" and "archives" logs older than 90 days to your NAS.
For Elasticsearch, the recommendation is to set Lifecycles policies in order to change your data to a different phase reducing the header size and remove older data.
For detailed information about this configuration, please visit:
Please, note that the first part of the document is devoted to Elasticsearch Basic License config and second one to Opendistro.
I hope this helps.
Thanks
Damian Nicastro
Feb 14, 2022, 3:48:02 PM2/14/22
to Wazuh mailing list
Hi @mcol:
I am sorry. We need to modify the crontab I have sent you before. This "mv" does not maintain the directory structure of Wazuh, so it will overwrite the previous moved file every time that is executed. We will need to use "cp -r" to copy recursively and then a "rm" to clean out the files. Please, let me test that and I will send the proper config to you as soon as possible.
Thanks
Matt Colucci
Feb 14, 2022, 3:54:49 PM2/14/22
to Wazuh mailing list
Hi Damian! Thank you very much for the cron command. I have not tried it out yet on my SIEM so I will wait for the updated command from you. Thank you again!
Damian Nicastro
Feb 15, 2022, 1:38:49 PM2/15/22
to Wazuh mailing list
Hi @mcol:
Thanks for your patience.
I was testing a bit and you could make some cronjob like this for Wazuh "alerts" and "archives":
# crontab -e
0 0 * * * find /var/ossec/logs/alerts/ -type d -mtime +90 -regex '\/var/ossec/logs/alerts\/[0-9]+' -exec cp -rp {} </path/to/NAS/> \; -exec rm -rf {} \;
0 0 * * * find /var/ossec/logs/arvhives/ -type d -mtime +90 -regex '\/var/ossec/logs/alerts\/[0-9]+' -exec cp -rp {} </path/to/NAS/> \; -exec rm -rf {} \;
Please, before running this, ensure that the proper files were copied to the NAS because the "rm" command will remove any file older than 90 days from Wazuh manager.
I hope this helps.Thanks
Matt Colucci
Mar 21, 2022, 1:48:59 PM3/21/22
to Wazuh mailing list
Hi Damian! Thanks so much for the cron command and all your help!
Reply all
Reply to author
Forward
0 new messages