Wazuh and retention policy

Tedew

unread,

Apr 4, 2024, 7:29:12 AM4/4/24

to Wazuh | Mailing List

Hello,

Today i discovered that my wazuh reached 1000 shards.

So I did like in this articel below for wazauh-alerts:.

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html

But, when i select alert from, for example today: Indices-> wazuh-alerts-4.x-2024.04.04 this policy also remove alerts from this day. (but in definition is older that 90d)

Questions:

1.Why is removing data not older that 90d ??

2.Is it possible to assing policy automaticly to all alerts from all days also for new ?? Because in above article i must select a day with alerts, assing policy etc. - it looks the same as I select day and then select "Delete" Action from menu.

Def of the policy

{ "id": "wazuh-alert-retention-policy", "seqNo": 686, "primaryTerm": 1, "policy": { "policy_id": "wazuh-alert-retention-policy", "description": "A sample description of the policy", "last_updated_time": 1712224216602, "schema_version": 18, "error_notification": null, "default_state": "delete_alerts", "states": [ { "name": "initial", "actions": [], "transitions": [ { "state_name": "delete_alerts", "conditions": { "min_index_age": "90d" } } ] }, { "name": "delete_alerts", "actions": [ { "retry": { "count": 3, "backoff": "exponential", "delay": "1m" }, "delete": {} } ], "transitions": [] } ], "ism_template": [ { "index_patterns": [ "wazuh-alerts-*" ], "priority": 1, "last_updated_time": 1712222510829 } ] } }

Stuti Gupta

unread,

Apr 4, 2024, 10:49:52 PM4/4/24

to Wazuh | Mailing List

Hi team!
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.

Stuti Gupta

unread,

Apr 5, 2024, 2:34:53 AM4/5/24

to Wazuh | Mailing List

Hi Tedew
Hope you are doing well.

Is it possible to assign the policy automatically to all alerts from all days, including new ones?

Yes, the policy is already designed to automatically apply to all indices matching the pattern "wazuh-alerts-*". This includes existing indices, newly created ones, and future alerts. The deletion happens based on the minimum index age (90 days).

For your next question:

.Why is removing data not older that 90d ??

The data not older than 90 days is being removed because your policy is designed to delete alerts that are at least 90 days old. However, it seems like the behavior you're experiencing is not intended. There might be some misconfiguration or misunderstanding of how the retention policy is applied. To troubleshoot the issue with the retention policy not behaving as expected, ensure that:

The policy is properly applied to the indices.
The conditions for transitioning to the "delete_alerts" state are correctly set.
There are no conflicts or overrides with other policies.

The policy can be like::
{
"policy": {
"description": "Wazuh index state management for OpenDistro to move indices into a cold state after 30 days and delete them after a year.",
"default_state": "hot",
"states": [
{
"name": "hot",
"actions": [
{
"replica_count": {
"number_of_replicas": 1
}
}
],
"transitions": [
{
"state_name": "cold",
"conditions": {
"min_index_age": "90d"
}
}
]
},
{
"name": "cold",
"actions": [
{
"read_only": {}
}
],
"transitions": [
{
"state_name": "delete",
"conditions": {
"min_index_age": "90d"
}
}
]
},
{
"name": "delete",
"actions": [
{

"delete": {}
}
],
"transitions": []
}
],
"ism_template": {

"index_patterns": ["wazuh-alerts*"],
"priority": 100
}
}
}
Adjust the "min_index_age": from "90d" to your preferred number of days for minimum index deletion.

Hope this helps

Reply all

Reply to author

Forward