Saving Storage Space - Delete Worker Logs?

[Sam Heuchert]

Hi there,

I have a 10-node distributed Wazuh cluster with multiple worker and indexer nodes.  IN an effort to maximize space, is it possible to delete logs on the workers while still retaining the data on the indexer nodes?  I'm finding a good amount of data being stored in the worker nodes, and it seems redundant after the data gets passed to the indexer nodes for indexing.

Please advise

[Aditya Sharma]

Hi Sam, Thanks for using Wazuh!

Can you please explain why you are required to delete the worker nodes' data, that will cause you the issue of not being able to recover the data if you lose some of the data in the future. I suggest you do not directly delete just move that data to some other server if you have or maintain the data for a certain period of time.

For the ILM policies and all, please check out the below documentation once: https://wazuh.com/blog/index-backup-management/

I hope this helps you. Don't hesitate to ask your questions/concerns.

Regards
Aditya Sharma

[Sam Heuchert]

Aditya,

Thanks for the response.  I am not referring to the indices.  I'm referring to the files stored on each Wazuh Manager (or Worker) node that the agents connect to (located at /var/ossec/logs/alerts/*).  I think these alerts are then indexed in the Wazuh Indexer cluster into respective indices.  Having it in two places seems redundant.  Of course, I could be misguided in my understanding of where the logs are stored.

Thanks,

Sam