Sending logs files to other partition and being able to see the logs

[Daniel Vidaurri]

Hi! I had a problem with storage and I mounted another disk in my wazuh server, I know that I can send the files to another path with cronjobs and configuring it to send logs automatically every 30 or 90 days, but I want to know if its possible to see the logs in my wazuh dashboard.

Also I was searching doing this with index management, with cold and hot storage but I can't find anything about configuring the path where I wan to storage the cold files. 

If anyone can help I will appreciate it. 

I'm using wazuh app 4.3.3.

Thanks

[Miguel Angel Fernandez Torralbo]

Hello! You can't use a partition in the same node to host hot and cold storage, though you could add another node, one for hot storage and the other for cold storage. 

There's a blog post that explains how to use Wazuh indexer management.

• https://wazuh.com/blog/wazuh-index-management/

[Daniel Vidaurri]

Hello Miguel, thanks for the response. I'm searching about add another node in my server, I have an all-in-one deployment and I saw that I can add workers nodes in the ossec.conf, but I don't know if it's possible add workers nodes in the same server, can you help me with this?

Thanks

[Miguel Angel Fernandez Torralbo]

Hi! 

1.The manager stores all the alerts in /var/ossec/logs/alerts. This data is compressed and could be considered cold, but they are not easy to visualize if you delete them from the indexer. They have to be ingested, if you have storage problems you could try this:

• Delete them, they are already indexed.
• Move them to a partition using a cronjob
• Mount the directory /var/ossec as a symbolic link to the path /data/your-partition . Everything should be working in the same way.

2. Elasticsearch data:

You need to think about what do you need. Let's say you need all the data accesible from the dashboard. Then, you may consider adding a new node storing all the cold data.

• Cold storage: It is the data containing the output generated by Wazuh, such as alerts or archives
• Hot storage: It is the data available on the Wazuh WUI corresponding to the information indexed by Wazuh. This information is available as soon as Wazuh ingests and indexes the events sent by the agents, making the data searchable and analyzable.

Maybe you can create snapshots, to restore the snapshots you need an API call and you will be able to see the data again.