hot/cold and archives vs alerts

150 views
Skip to first unread message

Matthias Appelmans

unread,
Apr 18, 2024, 6:01:00 AM4/18/24
to Wazuh | Mailing List
Hi all, hope you having a great day.


I have 2 questions! 

1. Can someone please explain the difference between hot and cold data in wazuh?
2. Is data in the archives.log also indexed ?

Best regards
Matthias



Md. Nazmur Sakib

unread,
Apr 18, 2024, 7:34:23 AM4/18/24
to Wazuh | Mailing List

Hi Matthias,


Hope you are doing well.


I believe you are referring to this document.

https://documentation.wazuh.com/current/cloud-service/archive-data/index.html


Wazuh provides two types of storage for your data:


Indexed data, formerly known as hot storage.


This data is properly mapped with different fields. That data is used to display events in Dashbaord. 

You can find those data inside this folder

/var/lib/wazuh-indexer/nodes/0/indices/



By default, only alert logs are indexed.


Archive data, formerly known as cold storage.


Archive logs are simple data with the plain logs forwarded from the log source.

You can find those logs inside 

/var/ossec/logs/archives/Year/Month



The archive logs are not indexed by default.


You can enable indexing of the archive log by following this.


Edit the Filebeat configuration file /etc/filebeat/filebeat.yml and change the value of archives: enabled from false to true



archives:

 enabled: true



Ref: https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html


Indexed logs occupy more storage than archive logs.


I hope this answers your questions


Let me know if you need any further information.

Matthias Appelmans

unread,
Apr 18, 2024, 9:05:54 AM4/18/24
to Wazuh | Mailing List
Thank you very much! :D

Op donderdag 18 april 2024 om 13:34:23 UTC+2 schreef Md. Nazmur Sakib:
Reply all
Reply to author
Forward
0 new messages