Help Seeking Post

15 views
Skip to first unread message

WENWEN H

unread,
Jan 16, 2026, 4:27:35 AM (2 days ago) Jan 16
to Wazuh | Mailing List
delete_index.pngHello everyone, I have two questions that I would like to ask you.
The first issue I encountered is that I noticed there were some omissions in the WAF logs received from AWS WAF that I saw on Wazuh. I discovered this by comparing the original logs of AWS WAF with the logs on wazuh. I checked and found that the manager server's transmission log would spike suddenly, but the CPU value didn't reach 100% immediately.
The second question is: Can I directly remove certain indexes in the diagram to free up some disk space?

Parash Mani Kafle

unread,
Jan 16, 2026, 5:21:00 AM (2 days ago) Jan 16
to Wazuh | Mailing List

The Wazuh Wodle runs at specific intervals, which could be contributing to the observed spikes. Please verify if the interval defined in the ossec.conf for the AWS S3 Wodle for the WAF aligns with the spikes in the transmission log.
Example configuration for the AWS S3 wodle:
<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="waf">
    <name><WAZUH_AWS_BUCKET></name>
    <path>waf</path>                   <!-- PUT THE S3 BUCKET PREFIX IF THE LOGS ARE NOT STORED IN THE BUCKET'S ROOT PATH -->
    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

Regarding the log truncation, this is likely due to the default ordersize defined on the Wazuh manager for the json logs. By default, it extracts only 256 fields per event. If the logs are larger(more then 256 fields on json), you can increase the limit by setting analysisd.decoder_order_size to 512 or 1024 in the file given below:

/var/ossec/etc/local_internal_options.conf.

Yes the correct way is to deleted the indices from the dashboard as you have shared on the attached screenshots. Additionally, You can configure wazuh retention policy to delete the logs automatically after the number of days x has been reached. 
For more information, Please visit the URL given below:
https://documentation.wazuh.com/current/cloud-security/amazon/services/supported-services/waf.html
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-s3.html
https://documentation.wazuh.com/current/user-manual/wazuh-indexer-cluster/index-lifecycle-management.html
Reply all
Reply to author
Forward
0 new messages