How to delete old logs to free up space?
8,881 views
Skip to first unread message
Enekupe Lelevaga
Sep 13, 2022, 4:12:48 PM9/13/22
to Wazuh mailing list
Tomas Sarquis
Sep 13, 2022, 4:39:03 PM9/13/22
to Wazuh mailing list
Hello @enetupevaga!
You may be interested in Wazuh's rotation functionality.
You may be interested in Wazuh's rotation functionality.
We have a daemon called monitord which, among other things, is in charge of rotating (and compressing) files.
When rotation is enabled and the current log file reachs some max size or is old enough, monitord creates a new file for storing new upcoming log data. The old (rotated) log file is renamed as shown below:
- /var/ossec/logs/wazuh/<YEAR>/<MONTH>: Rotated files ossec.log
- /var/ossec/logs/alerts/<YEAR>/<MONTH>: Rotated files alerts.log|json
- /var/ossec/logs/archives/<YEAR>/<MONTH>: Rotated files archives.log|json
- /var/ossec/logs/api/<YEAR>/<MONTH>: Rotated files api.log
- /var/ossec/logs/cluster/<YEAR>/<MONTH>: Rotated files cluster.log
- /var/ossec/logs/firewall/<YEAR>/<MONTH>: Rotated files firewall.log
Monitord main configuration
There are 4 setting related to logs rotations that you can configure in the /var/ossec/etc/local_internal_options.conf file:
There are 4 setting related to logs rotations that you can configure in the /var/ossec/etc/local_internal_options.conf file:
- monitord.rotate_log: This setting enables log rotation, it is enabled by default.
- monitord.size_rotate: With this setting you can configure the maximum size of the file to trigger rotation, it is set to 512MB by default.
- monitord.daily_rotations: With this setting you can configure the maximum number of rotations per day, it is set to 12 by default.
- monitord.keep_log_days: With this setting you can configure the number of days to store the rotated logs before delete them, by default it is 31 days.
For complete information: Documentation
Let me know if I can help you with any other thing.
On Tuesday, September 13, 2022 at 5:12:48 PM UTC-3 enetu...@gmail.com wrote:
Tomas Sarquis
Sep 13, 2022, 4:40:24 PM9/13/22
to Wazuh mailing list
One last thing: if you need help with crontab, let me know.
Enekupe Lelevaga
Sep 13, 2022, 4:52:37 PM9/13/22
to Tomas Sarquis, Wazuh mailing list
YEs please,
need help with crontab
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d095455f-5445-44ac-9b9c-478b6b9f3abbn%40googlegroups.com.
Tomas Sarquis
Sep 14, 2022, 7:11:05 AM9/14/22
to Wazuh mailing list
For example, to apply a deletion of alerts and archives older than 7 days, then run crontab -e (as root) then paste next piece of text:
0 0 * * mon find /var/ossec/logs/alerts/ -type f -mtime +7 -exec rm -f {} ;
0 0 * * mon find /var/ossec/logs/alerts/ -type f -mtime +7 -exec rm -f {} ;
0 0 * * mon find /var/ossec/logs/archives/ -type f -mtime +7 -exec rm -f {} ;
Bhaskar Patel
Oct 3, 2022, 5:18:28 AM10/3/22
to Wazuh mailing list
thank you in advance...
Is there any has checked this or already using please inform me this will help me a lot "I need to enable 2fector on the wazuh indexer console is it possible?"
Thanks,
Bhaskar Patel
Reply all
Reply to author
Forward
0 new messages