Error - Disk Full

26 views
Skip to first unread message

Tom Banaria

unread,
Sep 30, 2023, 10:08:45 AMSep 30
to Wazuh | Mailing List
Hello all,

Seeking some advise from all of you regarding managing queries, indices and storage sizes.

Today, my server went down due to an error:

cluster_block_exception [FORBIDDEN/12/index read-only / allow delete (api)], flood stage disk watermark exceeded

but was able to restore it by doing this great guide: 

Now it only worked for a moment, and I somehow knew it was about to fail again. I eventually increased my storage size and re-do all of the instructions from the previous guide.

My question is - is there an efficient way to maintain storage and prevent it from getting bigger? I'm looking at data retention of at least 6 months. 

Any help and guide will be very much appreciated!

Thanks all,



Isaac Yusuf

unread,
Oct 4, 2023, 2:59:34 AMOct 4
to Wazuh | Mailing List

Hello Tom,


For the Hot Storage Retention Policy, you can use the guide below as it explains how set up a retention policy for your indices:

https://wazuh.com/blog/wazuh-index-management/ 


For the Cold Storage Retention Policy on the server, you can use the crontab to implement this.- To apply crontab (so you can configure a cold storage retention policy) please run this command: crontab -e. It will open your crontab file where you will be able to add the commands you need. Here is an example of the crontab script:


45 0 * * * find /var/ossec/logs/alerts/ -type f -mtime +183 -exec rm -f {} \;

45 1 * * * find /var/ossec/logs/archives/ -type f -mtime +183 -exec rm -f {} \;


This will be executed every day by 12:45 a.m. for the alerts folder and 1:45 a.m. for the archives folder for logs older than 182 days (6 months). You can modify the number of days based on your needs. Once you make your changes you just need to save the file.




I hope this helps with your concern.

Tom Banaria

unread,
Oct 4, 2023, 9:14:05 AMOct 4
to Isaac Yusuf, Wazuh | Mailing List
Thank you so much Isaac,

I did resolve it be increasing the storage of the server. Looks like it does accumulate more logs when I started ingesting additional sites.

Thank you!
Tom


--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/bdTDuS2gagw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7205ae75-fcf4-4c00-aa30-fc9e1cef8cc5n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages