Ossec Logs and Elasticsearch Nodes

70 views
Skip to first unread message

Alejandro Martinez

unread,
Dec 28, 2021, 6:34:20 AM12/28/21
to Wazuh mailing list
Hi all,

When I delete some indices from Index Management in Kibana they still appear in ossec alerts and in elasticsearch nodes.

First, I delete the indices from Kibana:

Kibana-delete-indices.jpg

Now, I only have indices from the first of november on 2021 until today, but when I look in /wazuh/var/ossec/logs/alerts/ there are alerts from every month of 2020 and 2021:
wazuh-alerts.jpg
I can also see that in /wazuh/var/lib/elasticsearch/nodes/0/indices/ there are 136 entries.

Does anyone know how to delete old alerts and nodes?

I tried manually deleting them and I had to rollback because everything stopped working. I also tried deleting them trough a POST operation using curl and the same happened.

Any ideas on how to delete them?

Thanks beforehand.

Federico Pacher

unread,
Dec 28, 2021, 8:12:17 AM12/28/21
to Wazuh mailing list
Hi there,

Thank you for using Wazuh.
You could automate it with ILM policies to delete old indices after a period of time, as explained in this post: https://wazuh.com/blog/wazuh-index-management

By default, Wazuh generates audit and monitoring indices for Wazuh's own service. These indices also occupy space so you could delete these indices via Dev-tools (In case you don't want to touch your wazuh-alerts- * indices).

Example using the principal Menu > Management > Dev tools (watch the attached file):

DELETE /security-auditlog-2021.10.*

 That API call will delete all the security-audit-log indices from Oct. You can follow the same example with other indices:

DELETE /wazuh-monitoring-2021.10.*

Also, the same can be performed with the wazuh-alerts indices. You can delete some old data from the past months:

DELETE /wazuh-alerts-4.x-2021.10.*


Also, you can delete specific indexes:

curl -X DELETE "https://127.0.0.1:9200/wazuh-alerts-4.x-2020.09.27" -u <username>:<password> -k

the example above will delete the index of the alerts from September 27 2020.


To delete old logs you can automate the task with a cron job. To do so, you should run crontab -e (as root) and then paste the next (EXAMPLE) commands:

0 0 * * mon find /var/ossec/logs/alerts/ -type f -mtime +7 -exec rm -f {} ;

0 0 * * mon find /var/ossec/logs/archives/ -type f -mtime +7 -exec rm -f {} ;

This will make your system delete every Monday at 0:00hs, for example, all the files contained in /var/ossec/logs/alerts/ and /var/ossec/logs/archives/ that have been modified more than 7 days ago.


I hope this can help you

Regards



Screenshot from 2021-12-28 09-19-18.png
Reply all
Reply to author
Forward
0 new messages