Archive unarchived alerts

[Johnie Basson]

Good day.

We had an issue with disk space on our server and as a result the daily Alerts was not archived.

Is there a way for us to archive these files?

I.e. create the log.gz & json.sum files from the .log & .json files.

Kind regards.

[Tomas Sarquis]

Hi Johnie

Let me understand this a little better...

So, you have enabled Wazuh archives but, since you have disk issues, it stopped working?

[Johnie Basson]

Tomas

Good day.

We've not enabled full archives.

The problem is we're stuck with some large alert logs that was never zipped/archived:

We just want to zips/archive these files so that Wazuh would be able to access them again.

Kind regards

Johnie

[Tomas Sarquis]

So, if I did understand, the logs file is not yet compressed.

Have you checked our documentation regarding log rotation?

Wazuh by default compresses these files every 31 days.

If you are running into disk issues, you could try performing the compression with a smaller day interval.

To do so, you should modify /var/ossec/etc/internal_options.conf file by changing monitord.keep_log_days to a value lower than 31.

[Johnie Basson]

Tomas

Thank you for your feedback.

We do however still have some older logs that was never archived due to the lack of disk space, is there a way to archive/zip these now?

Kind regards

[Tomas Sarquis]

First of all, viewing the dates of the files, your manager is generating a lot of alerts. Consider implementing an anti-flooding mechanism.

Secondly, why do you affirm that these logs are not compressed "due to the lack of disk space"? Have you seen any errors related to this scenario?

It's weird that logs from day 21 are being compressed but logs from previous days are not...

[Johnie Basson]

Tomas

Thank you for your feedback.

We will investigate the ant-flooding mechanism, and we are addressing the server causing the alerting issue.

Yes, I can confirm that we only have this problem when the server ran out of space and thus stopped logging as you can see from the image there was no logs for a few days after the server ran out of space (14 – 17 & 19 – 21 May) until it was resolved it started logging again.

I just want to know of there is way to archive/zip these files after the fact, is there a script that will create the archives (.gz & .sum files) for those days.

If not, I suppose we can just archive/zip them to free up the space.

 

Kind regards

[Tomas Sarquis]

I'm checking this with the team. Please give me some minutes.

[Johnie Basson]

Thanks.

[Tomas Sarquis]

Still checking on this, Johnie.

[Tomas Sarquis]

So, I checked with the team...

Apparently, these full-disk issues are known are we hope they will be handled soon.

On the other hand, there's no "legal" way of compressing these files manually but you can compress them yourself by using a tool such as gzip. The only inconvenience is that the hash chain will not be created, for instance:

Current checksum:

MD5 (logs/alerts/2023/Jun/ossec-alerts-26) = 2fda8beec79b1601aaab2e72d2d19039 SHA1 (logs/alerts/2023/Jun/ossec-alerts-26) = 9fb13fa55008475f984516cbf3bd92a0a1bdaf6d SHA256 (logs/alerts/2023/Jun/ossec-alerts-26) = 4288b8dc6cff3ffc6895c8631241dbaa3e66bf870e0d09ff639726a3fc3b1827 Chained checksum: MD5 (logs/alerts/2023/Jun/ossec-alerts-25.json.sum) = none SHA1 (logs/alerts/2023/Jun/ossec-alerts-25.json.sum) = none SHA256 (logs/alerts/2023/Jun/ossec-alerts-25.json.sum) = none

You can create them, in any format, but following the file name so the manager will chain it the next day.