"ghost" alerts.json files

[Андрей Горин]

Hello!
Interesting problem:
68.4% of disk space occupied
I display lost deleted files, I see that it is /var/ossec/logs/alerts/alerts.json
I restarted the filebit service that writes logs, and a lot of free space appeared.
This happens on all 9 of my workers.

How can I fix this so that this doesn't happen again? I take it this is due to incorrect logrotation?

[Md. Nazmur Sakib]

Hello Андрей Горин,

Hope you are doing well. Thank you for using Wazuh.

I am glad that the issue is resolved after restarting the filebeat.

You can check if your log rotation is configured properly from 

/var/ossec/etc/internal_options.conf

Check the document for details:

https://documentation.wazuh.com/current/user-manual/reference/internal-options.html

I think the issue was with filebeat/indexer not working properly for some reason, it could be that during restarting the server the service was not up properly, etc., and that caused an issue with log rotation.

I would suggest you check cluster health and node status after some days.

Check cluster health

curl -k -u <username>:<password> https://<WAZUH_INDEXER_IP>:9200/_cluster/health?pretty

curl -k -u <username>:<password> https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v

Check if filebeat is working properly

filebeat test output

Check the status of your indices

curl -k -u <username>:<password> https://<WAZUH_INDEXER_IP>:9200/_cat/indices?v

Check the status of your shards

curl -k -u <username>:<password> https://<WAZUH_INDEXER_IP>:9200/_cat/shards?v

I hope you find this information useful

Regards

Md. Nazmur Sakib

[Андрей Горин]

Good afternoon, thanks for the information, the cluster is in working order, the configuration is standard. The problem persists. I found similar situations on the Internet:
https://groups.google.com/g/wazuh/c/fp5VssdY-UU
https://github.com/wazuh/wazuh/issues/4673

четверг, 23 ноября 2023 г. в 13:37:43 UTC+3, Md. Nazmur Sakib: