Storing on S3

478 views
Skip to first unread message

Tech Master

unread,
Oct 14, 2023, 6:15:07 AM10/14/23
to Wazuh | Mailing List
Hello Wazuh lovers!
I have a VM Wazuh Docker with 100GB of storage on the ESXi host's datastore.
I use around 100 Agents.
I do a log all to save all the logs that come in order to have, for example, a history of the firewall logs.
I need big storage (I don't want to expand VM endlessly) and I need to save all logs and keep them unchanged for compliance (S3 immutability).
Is it possible to directly save alerts and archives on S3 buckets?
Am I forced to do a rotation?
I ask the same question for index management.

Md. Nazmur Sakib

unread,
Oct 16, 2023, 12:41:02 AM10/16/23
to Wazuh | Mailing List

Hi Tech Master


Hope you are doing well. Thank you for using Wazuh.


You can check the log snapshot and restore option.

Check this document to learn more about snapshot.

https://wazuh.com/blog/index-backup-management/

You can use storage located on the Cloud as the back-end for your repository. For this, there are readily available plugins for various Cloud service providers. In the following documentation you can see an example with S3.

You can also check the Index Life-cycle management policy. It will allow you to compress your data which will help you to store more data for a longer period. With the help of ILM policy you can manage your indices more efficiently and even add snapshots with the ILM process.

Check the document to learn more about ILM:

https://wazuh.com/blog/wazuh-index-management/

I hope this information helps. Please let me know if you need any further assistance.


Regards

Md. Nazmur Sakib

Tech Master

unread,
Oct 18, 2023, 6:01:50 AM10/18/23
to Wazuh | Mailing List
Hello Nazmur,

the two blog articles you indicated refer to indices:

1) Snapshot: https://wazuh.com/blog/index-backup-management/
Index Management
https://<mywazuh>/app/opensearch_index_management_dashboards

2) ILM: https://wazuh.com/blog/wazuh-index-management/
Snapshot Management
https://<mywazuh>/app/opensearch_snapshot_management_dashboards

What should be done about logs in the archives and alerts folders that grow to take up storage?
I would like to move them to external storage and/or S3 (immutable) for compliance reasons.
Since I save all logs, for example from firewalls, even those that do not generate alerts, I would like to keep them for legal, compliance and incident response reasons.

Md. Nazmur Sakib

unread,
Oct 20, 2023, 12:37:19 AM10/20/23
to Wazuh | Mailing List

Hi Tech Master


Hope you are doing well.


You can take advantage of both 


ILM will help you to compress the data in small sizes with different phases like warm cold. To store more data for a longer period.


Check the document for details:

https://wazuh.com/blog/wazuh-index-management/


Snapshot will help you to make a copy of your old data to a remote server and restore from them when needed.

 

Check the document for details:


https://wazuh.com/blog/index-backup-management/


I hope this information helps 


Regards

Md. Nazmur Sakib

Reply all
Reply to author
Forward
0 new messages