Linux partition layout

[Udi Moshe]

Hi,

what is the correct partition layout for the linux os ?

[Damian Nicastro]

Hello Udi:

I hope you are fine.

The most common File systems used in Linux are XFS and EXT4. However, you can format your partitions with many other formats depending on the Linux system you are using.

To check this, you can run the following command:

# cat /etc/*release*

Regarding the disk volumes management, the most common is to use LVM. Below you have a guide to manage LVM partitions:

A Linux user's guide to Logical Volume Management | Opensource.com

There are another volumes management tools that allow disk thin provisioning and/or files deduplication. However, these tools are not recommended to use in Wazuh installations.

If you give me more details of your needs, I might be able to provide a more specific answer.

I hope this helps.

Thanks

[Udi Moshe]

Hello Damian,

thank you for your reply. i am familiar with linux partitioning so let me clarify my question. how should i partition the linux os for installing wazuh ?

is wazuh installed under /var or /opt ? where is the information stored ? /var or /log ?

Hope i made my question more clearer.

Thanks.

[Damian Nicastro]

Hello Udi:

I hope you are fine.

By default the wazuh-manager is installed in the /var directory under the ossec/ directory created during the installation. The logs are stored in /var/ossec/logs directory and they are rotated and compressed on a daily basis. It is also possible to install the wazuh-manager in another directory using the installation from sources described in the following document:

Installing the Wazuh manager from sources - Installation from sources

However, if you need to change the location after the installation, you can create a symbolic link to point to another Filesystem.

# cp -rp /var/ossec/* /data/wazuh
# rm -rf /var/ossec
# ln -s /data/wazuh /var/ossec

It is recommended to stop the wazuh-manager service before doing the mentioned change:

# systemctl stop wazuh-manager

Regarding the wazuh-indexer and wazuh-dashboard installations, different directories are used. For instance:

- /usr/share/ for binaries and some configurations

- /etc for main configurations and certificates

- /var for data and logs storage (wazuh-indexer)

The disk space in this last folder is critical because it stores all the indices data without compression

The location of the data and logs can also be modified in the wazuh-indexer. For instance:

1) Create new directories for data and logs and change ownership:

# mkdir /opt/lib/wazuh-indexer

# mkdir /opt/lib/wazuh-indexer

# chown -R wazuh-indexer:wazuh-indexer /opt/lib/wazuh-indexer
# chown -R wazuh-indexer:wazuh-indexer /opt/lib/wazuh-indexer

2) Change the configration of th wazuh-indexer:

# vi /etc/wazuh-indexer/opensearch.yml
...

path.data: /opt/lib/wazuh-indexer
path.logs: /opt/log/wazuh-indexer

...

3) Restart the wazuh-indexer to load the changes:

# systemctl restart wazuh-indexer

I hope this helps.

Thanks

[Wazuh | Mailing List]

Hello Damian,

thank you for the elaborated answer. this exactly what i was looking for.

Regards,

[Wazuh | Mailing List]

Hi Udi

I am glad I could help.

Thanks