Need to get the logs export in local system

[Wazuh Server]

Hi Team,

Can anyone give the tips or documentation for exporting the wazuh logs in local system.

[Luciano Valinotti]

In Wazuh, “logs” can refer to different data sources (agent logs, alerts, or events stored in the indexer), so the export approach depends on what exactly you want to retrieve, for instance:

Alerts / Events stored in the Wazuh Indexer

If you are referring to security events or alerts, they are stored in the Wazuh indexer (OpenSearch/Elasticsearch-compatible backend depending on your setup).

You can export them using:

- Index API queries
- Dashboards (Discover / Saved searches)
- Or direct API calls

You can then filter and export results as JSON.

You can find more information in the following link: https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index.html

Agent logs (local system logs collected by Wazuh)

If you mean logs collected from endpoints (e.g., /var/log/syslog, Windows Event Logs), these remain on the agent system and are also forwarded to the manager/indexer.

To access them locally:

Linux agents: check /var/ossec/logs/ossec.log
Windows agents: logs are under the agent installation directory

Also you can check this official link for reference: https://documentation.wazuh.com/current/user-manual/agent/

Kind regards!