Wazuh keep a maximum of 6 months of information

[Matias Leguizamon]

Dear,

How can I automatically delete logs and security events older than 6 months from agents? I read that you recommend the following configuration:

# crontab -e

0 0 * * * find /var/ossec/logs/archives/ -type f -mtime +186 -exec rm -f {} \;

However, when I delete these files and restart the Wazuh services, I still see the events.

For example, if I delete the .log from 08/02:

I keep seeing security events from agents on 08/02:

Just in case it is necessary, before looking for the records in the dashboard. I restarted the following services associated with Wazuh:

I also did the same with the files located in /var/ossec/logs/alerts and got the same result:

I am using Wazuh Server from the .ova posted at:

https://documentation.wazuh.com/current/deployment-options/virtual-machine/virtual-machine.html

Am I doing something wrong? How does it work?

Regards.

[Pedro Nicolás Gomez]

Hi,  thanks for using Wazuh.

To make understanding better, you may note that the file /var/ossec/logs/archives/archives.json contains all the events whether they triggered a rule or not, and the file /var/ossec/logs/alerts/alerts.json contains only events that triggered a rule with high enough priority (this threshold is configurable within the rule definition).

By keeping this in mind, Wazuh, by default, does not delete the data stored in the /logs/alerts/ directory.

The events you are showing in the image are ingested from the alerts.json file, so you should also consider creating a cron job to delete those files.

For example:

# crontab -e

0 0 * * * find /var/ossec/logs/alerts/ -type f -mtime +186 -exec rm -f {} \;

And if you want to remove the elastic data, we have a blog post dedicated to that:

https://wazuh.com/blog/wazuh-index-management/

I hope it helps.
Best regards, Pedro Nicolas.