Custom Log Storage & Alerting on Disk Usage in Lab
33 views
Skip to first unread message
하프사
Sep 3, 2025, 5:34:18 AM (5 days ago) Sep 3
to Wazuh | Mailing List
Hello Wazuh Community,
I am new to Wazuh and am currently exploring its configuration options for log management in my lab environment.
My current setup is an all-in-one architecture where I am monitoring 15 servers.
I have two specific questions I haven't fully resolved through the documentation:
Custom Log Storage & Sizing: Is it possible to specify a custom disk storage location for specific log files, notably alerts.log and archives.log?
Each log file has a configurable maximum size.
I receive alerts specifically when the free space on the specific file falls below a defined threshold.
Could you please point me to the correct configuration directives or guide me on how to achieve this?
Best regards,
I am new to Wazuh and am currently exploring its configuration options for log management in my lab environment.
My current setup is an all-in-one architecture where I am monitoring 15 servers.
I have two specific questions I haven't fully resolved through the documentation:
Custom Log Storage & Sizing: Is it possible to specify a custom disk storage location for specific log files, notably alerts.log and archives.log?
Furthermore, can I define a maximum size limit for each of these individual log files to prevent them from consuming all available disk space on their partition? If so, what is the correct parameter in the ossec.conf file to set these limits?
Targeted Alerting: If I configure a dedicated storage volume for these logs, what is the recommended method to generate alerts when that specific disk partition or directory starts to run low on space? I want to avoid being alerted about the overall system root (/) disk usage and instead monitor only the storage dedicated to Wazuh logs.
My goal for this lab is to have a setup where:
Targeted Alerting: If I configure a dedicated storage volume for these logs, what is the recommended method to generate alerts when that specific disk partition or directory starts to run low on space? I want to avoid being alerted about the overall system root (/) disk usage and instead monitor only the storage dedicated to Wazuh logs.
My goal for this lab is to have a setup where:
Each log file has a configurable maximum size.
I receive alerts specifically when the free space on the specific file falls below a defined threshold.
Could you please point me to the correct configuration directives or guide me on how to achieve this?
Best regards,
ismail....@wazuh.com
Sep 3, 2025, 7:44:40 AM (4 days ago) Sep 3
to Wazuh | Mailing List
Hi,
Wazuh generates several internal log files, including alerts.log, archives.log, alerts.json, and archives.json, which are located under /var/ossec/logs/. You can refer to this document.
It is not recommended to change the default log path, since these files are part of the Wazuh internal architecture and expected in their default location. A best practice is to configure LVM for /var, so that /var/ossec/logs/ benefits from a dedicated volume. This way, you can resize the LVM at any time if log growth requires more space.
By default, these logs are compressed daily. Refer to this link for more info. This is mainly for backup purposes. If needed, you can create a cron job to move older compressed logs to external storage such as a NAS, S3 bucket, or other backup location. Also, you can configure rotate_interval or max_output_size, in global configuration Refer to this document.
Eg:
<rotate_interval>10m</rotate_interval>
</global>
Also, you can follow the document for creating a retention policy for wazuh indexes.
I hope it helps. Please let us know if you have any further queries or issues here.
Regards,
Wazuh generates several internal log files, including alerts.log, archives.log, alerts.json, and archives.json, which are located under /var/ossec/logs/. You can refer to this document.
It is not recommended to change the default log path, since these files are part of the Wazuh internal architecture and expected in their default location. A best practice is to configure LVM for /var, so that /var/ossec/logs/ benefits from a dedicated volume. This way, you can resize the LVM at any time if log growth requires more space.
By default, these logs are compressed daily. Refer to this link for more info. This is mainly for backup purposes. If needed, you can create a cron job to move older compressed logs to external storage such as a NAS, S3 bucket, or other backup location. Also, you can configure rotate_interval or max_output_size, in global configuration Refer to this document.
Eg:
<rotate_interval>10m</rotate_interval>
</global>
Also, you can follow the document for creating a retention policy for wazuh indexes.
I hope it helps. Please let us know if you have any further queries or issues here.
Regards,
Reply all
Reply to author
Forward
0 new messages