Wazuh Log storage and maintaning.
Dhaval Solanki
Can you tell me how can I maintain log backup storage for every 2 years. can you provide any ideas?
Jorge Alberto Marino
Jorge Alberto Marino
Wazuh provides related capabilities on it's own :
1. Wazuh archives :
The Wazuh archives refer to the storage files created by the Wazuh server that contain logs, alerts, and other security-related data collected from monitored endpoints. Wazuh archives store all events received by the Wazuh server, whether or not they trip a rule. Wazuh archives are useful for threat hunting, as security teams use archived logs to review historical data of security incidents, analyze trends, and generate reports.
By default, Wazuh archives are disabled because they store a large number of logs on the Wazuh server. When enabled, Wazuh archives allow organizations to store and retain security data for compliance and forensic purposes.
2, Index life management - Index retention :
Security standards require keeping data available for audits for a minimum period of time. For data older than this retention period, you might want to delete it to save storage space.
You can define specific policies to handle deletions automatically.
You might also find these policies useful for index rollovers.
External Scripts
Other than that, the resulting archives and logs are available in the filesystem.
This mean you could create a bash script and cron schedule it at the required time ranges and other conditions.
The responsibility of this script might manually copy, pack, and delete older files or indexes via API.
Unfortunately, creating this script is outside the scope of the Community Channel.
Anyway, you can find files locations, policies, and every detail you need to create this script.
Please feel free to ask any related question here and please check the mentioned capabilities before.
Regards,