Disk space rapidly increasing
14 views
Skip to first unread message
Prabhat Lolam
Jun 4, 2026, 1:04:32 AM (3 days ago) Jun 4
to Wazuh | Mailing List
Hi,
I am using a 3-node Wazuh cluster setup. On Wazuh-server 2 & 3, I have observed huge disk usage for the last 3 days. Upon investigation, I identified that in the path mentioned below, file size is increasing rapidly.
/var/ossec/logs/archives/2026/June/ossec.archive-03.json - 124GB
/var/ossec/logs/archives/2026/June/ossec.archive-03.log - 57GB
I checked the agents which are forwarding most of the logs, as the database logs are also integrated with Wazuh.
From below mentioned agents are sending the most logs but the dashboard shows around 6,755,994 logs.
12826560 pullsmsmaster-DB
12129554 getapi-master-DB
6455839 whatsapp-db-1
6450460 common-db-5
6388178 wazuhsrv-02
6220937 whatsapp-dr-DB
6126544 whatsappdb-2
2364634 whatsapp-redis-1
2345947 whatsapp-redis-2
2285271 dc5-dsrv-03
Please advise on how to troubleshoot this issue as the issue is facing from last 3 days and unable to identify root cause.
12129554 getapi-master-DB
6455839 whatsapp-db-1
6450460 common-db-5
6388178 wazuhsrv-02
6220937 whatsapp-dr-DB
6126544 whatsappdb-2
2364634 whatsapp-redis-1
2345947 whatsapp-redis-2
2285271 dc5-dsrv-03
Please advise on how to troubleshoot this issue as the issue is facing from last 3 days and unable to identify root cause.
Md. Nazmur Sakib
Jun 4, 2026, 1:45:46 AM (3 days ago) Jun 4
to Wazuh | Mailing List
Hi Prabhat,
The files you have mentioned are from archive.log and archive.json.
If you enable the archive from the Wazuh Manager's ossec.conf, all the logs, whether they generate alerts or not, are saved in /var/ossec/logs/archives/
Archive logs are disabled by default as they consume lots of space on the server. I believe you have enabled this for compliance or investigative purposes.
If you do not have any compliance requirements for having the archive logs. I recommend disabling them.
Archiving event logs
If you do not configure the index for the archive log, by default, they are not visible in the dashboard.
Visualizing the archive logs on the dashboard
The alert index is from the alert log, which you can find in the /var/ossec/logs/alerts/ path.
Your archive log file has increased a lot because your endpoints are sending more logs than before. This can be due to a misconfiguration of a service(which can be a database) or software causing repetitive logs or a high amount of network traffic logs.
I suggest you check the archive log files and check if you see any repetitive logs, and based on that, you can make a further decision if you want to keep those logs or filter those logs before sending them to Wazuh.
Let me know if you need any further information.
The files you have mentioned are from archive.log and archive.json.
If you enable the archive from the Wazuh Manager's ossec.conf, all the logs, whether they generate alerts or not, are saved in /var/ossec/logs/archives/
Archive logs are disabled by default as they consume lots of space on the server. I believe you have enabled this for compliance or investigative purposes.
If you do not have any compliance requirements for having the archive logs. I recommend disabling them.
Archiving event logs
If you do not configure the index for the archive log, by default, they are not visible in the dashboard.
Visualizing the archive logs on the dashboard
The alert index is from the alert log, which you can find in the /var/ossec/logs/alerts/ path.
Your archive log file has increased a lot because your endpoints are sending more logs than before. This can be due to a misconfiguration of a service(which can be a database) or software causing repetitive logs or a high amount of network traffic logs.
I suggest you check the archive log files and check if you see any repetitive logs, and based on that, you can make a further decision if you want to keep those logs or filter those logs before sending them to Wazuh.
Let me know if you need any further information.
Reply all
Reply to author
Forward
0 new messages