How to calculate wazuh capacity?

[Kudret ÇAĞLAYAN]

Hello friends,
There are 50 servers and 100 clients in the construction. I must keep the logs for a minimum of 2 years. The problem I experienced in my old shipments is that after a while, logs do not come from the agents. When you clear the alerts named Wazuh-alerts-4.x-2024, the logs start coming. I think node is insufficient. Archive logs were not active during production. How can I configure it losslessly without deleting the logs? How exactly is the calculation? I would appreciate it if you could indicate a source I can take as a reference.

[Eli Josue Rodriguez]

Hello, there is no formula to know exactly how much storage space you need for what you indicate. Since it depends on the number of events that are generated in your infrastructure.

There are guides that address the issue of life cycle management for indexes.
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html
https://wazuh.com/blog/wazuh-index-management/

And also other tuning that may be useful to you.
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-tuning.html

However, I would recommend that you progressively increase the space on the disk where you have the indexer installed so that you can know how much storage space you have for all the information you need to have.

Regards,

[Kudret ÇAĞLAYAN]

I'm new to wazuh, so my questions may seem funny to you :) Archive logs are permanent and can record as much as the disk space on the server. However, Alert records are analyzed from the logs in the archives and displayed as a result of certain rules. And when the alert logs are not cleared, I think the indexing is full and cannot receive new logs. Therefore, it is necessary to clear alert logs at certain periods (which is completely related to our structure). But as I said before, archive logs are stored until the disk space is full.

Could you please confirm if my thoughts and experiences above are correct?

3 Haziran 2024 Pazartesi tarihinde saat 20:07:03 UTC+3 itibarıyla Eli Josue Rodriguez şunları yazdı:

[Eli Josue Rodriguez]

Hello Kudret, sorry for the delay, as long as the Wazuh Server Manager (which is responsible for receiving agent alerts and storing them in alerts.log or alerts.json format) is full, new alerts will not be processed to the Wazuh Indexer and events will be dropped. So that you understand a little more about how Wazuh works, I leave you a link where you can see the architecture and see where you have to make the corresponding adjustments.

https://documentation.wazuh.com/current/getting-started/architecture.html

It is important that you know that once the alerts are processed/indexed to the Wazuh Indexer you can clean the alerts.log or alerts.json history. To do this, you can perform daily maintenance/backup tasks, to prevent the space in it from filling up the disk by these logs.

You can use monitord to do the rotations, but you will also need some task in a crontab to eliminate the records that you do not need in the time you consider necessary (7d maybe)
https://documentation.wazuh.com/current/user-manual/reference/internal-options.html?monitord=#monitord

I hope that helps you.!