How to compress archives.log in WAZUH after 30 days of saving ?
94 views
Skip to first unread message
Adam Nowak
Oct 30, 2024, 5:51:00 AM10/30/24
to Wazuh | Mailing List
How to compress archives.log in WAZUH after 30 days of saving ?
Default compression after 90 days is too long.
Is it possible to do this with the WAZUH-Dashboard ?
Is it possible to do this with the WAZUH-Dashboard ?
If so, please give me instructions?
Gerardo David Caceres Fleitas
Oct 30, 2024, 6:23:06 AM10/30/24
to Wazuh | Mailing List
Hello Adam,
As you may know, if we enable the <logall_json> option in ossec.conf, the raw logs in JSON format will be located in the following path:
/var/ossec/log/archives/archives.json
The same thing occurs with the <logall> option, but they will be saved in a human-readable format.
Using the “logall” is helpful for troubleshooting purposes, but it is recommended to disable it when it is no longer used or instead remove the old logs for better use of storage.
The following command will delete the archives files older than 15 days; you can customize it to your needs for compression and automate it with a cronjob.
find /var/ossec/logs/archives/2024/ -type f -mtime +15 -exec rm -f {} \;
Remember that the logs that are being received by the manager, processed by a decoder, and matched by a rule will be shown as an alert in the Dashboard; those processed logs are located in the following path:
/var/ossec/logs/alerts/alerts.json
Reference:
https://documentation.wazuh.com/current/user-manual/manager/event-logging.html
I hope this helps.
Gerardo Caceres Fleitas.
As you may know, if we enable the <logall_json> option in ossec.conf, the raw logs in JSON format will be located in the following path:
/var/ossec/log/archives/archives.json
The same thing occurs with the <logall> option, but they will be saved in a human-readable format.
Using the “logall” is helpful for troubleshooting purposes, but it is recommended to disable it when it is no longer used or instead remove the old logs for better use of storage.
The following command will delete the archives files older than 15 days; you can customize it to your needs for compression and automate it with a cronjob.
find /var/ossec/logs/archives/2024/ -type f -mtime +15 -exec rm -f {} \;
Remember that the logs that are being received by the manager, processed by a decoder, and matched by a rule will be shown as an alert in the Dashboard; those processed logs are located in the following path:
/var/ossec/logs/alerts/alerts.json
Reference:
https://documentation.wazuh.com/current/user-manual/manager/event-logging.html
I hope this helps.
Gerardo Caceres Fleitas.
Adam Nowak
Oct 31, 2024, 10:42:03 AM10/31/24
to Wazuh | Mailing List
? WAZUH-Dashboard
>> Indexer management >> State management policies
>>create policy
{
"policy": {
"policy_id": "wazuh-alert-retention-policy",
"description": "Wazuh alerts retention policy with rollover and 2-year retention",
"last_updated_time": 1730384732979,
"schema_version": 21,
"error_notification": null,
"default_state": "hot",
"states": [
{
"name": "hot",
"actions": [
{
"retry": {
"count": 3,
"backoff": "exponential",
"delay": "1m"
},
"rollover": {
"min_index_age": "31d",
"copy_alias": false
}
}
],
"transitions": [
{
"state_name": "cold",
"conditions": {
"min_index_age": "31d"
}
}
]
},
{
"name": "cold",
"actions": [],
"transitions": [
{
"state_name": "delete",
"conditions": {
"min_index_age": "732d"
}
}
]
},
{
"name": "delete",
"actions": [
{
"retry": {
"count": 3,
"backoff": "exponential",
"delay": "1m"
},
"delete": {}
}
],
"transitions": []
}
],
"ism_template": [
{
"index_patterns": [
"wazuh-alerts-*"
],
"priority": 1,
"last_updated_time": 1730384732979
}
]
}
}
Gerardo David Caceres Fleitas
Nov 5, 2024, 6:38:52 AM11/5/24
to Wazuh | Mailing List
Hello Adam,
Your policy for the indexer seems to be okay. If you want to test it, I suggest using the same states but for a short period of time, like 1 or 2 days. You could also consider a testing environment for this. Also, remember to create the cronjob for the archives.json file on the manager.
Reference:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html
Have a great day,
Gerardo Caceres Fleitas.
Your policy for the indexer seems to be okay. If you want to test it, I suggest using the same states but for a short period of time, like 1 or 2 days. You could also consider a testing environment for this. Also, remember to create the cronjob for the archives.json file on the manager.
Reference:
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html
Have a great day,
Gerardo Caceres Fleitas.
Reply all
Reply to author
Forward
0 new messages