EVENTOS WAZUH

[stefanny chavez anto]

Good morning, Is there a way to reset the Wazuh server event and/or alert counter from zero?

[Jorge Alberto Marino]

Hello,

Do you need to reset the Wazuh server event and/or alert counter to zero for the entire system or only for a specific agent or module?

Thank you.

[stefanny chavez anto]

Hello, I need to reset the Wazuh server event and/or alert counter to zero for the entire Wazuh system, for a specific agent and module, for example, vulnerability module, audit system, etc. Thank you.

[Jorge Alberto Marino]

During normal operation, Wazuh have an Index Management Policy that can be configured to achieve this at the same time by keeping data available for different periods of time and under different circumstances.

You can check this here : https://wazuh.com/blog/wazuh-index-management/

Another option is to delete specific files. Please check here for detailed information https://groups.google.com/g/wazuh/c/Jo8ldO6Cwo4/m/FVTc5rmTBAAJ

On the other hand, you can delete all the indexes data manually. THIS CAN'T BE REVERTED. WARNING. ONCE DELETED, IT CAN'T BE RECOVERED UNLESS YOU MAKE A BACKUP BEFORE.

This will erase all data and it's not encouraged unless you know what you are doing.

Stop Manager

sudo systemctl stop wazuh-manager

Delete index data

sudo rm -rf /var/ossec/data/*

Start Manager

sudo systemctl start wazuh-manager

Thank you

[stefanny chavez anto]

The first link didn't work for me: https://groups.google.com/g/wazuh/c/Jo8ldO6Cwo4/m/FVTc5rmTBAAJ It shows me an error: (image attached)

# curl -u <username>:<password> https://<indexer IP>:9200/_cat/indices/wazuh-alerts* -k

[Jorge Alberto Marino]

Hello Stefanny,

I have tested instructions here in my sandbox environment.

It works as expected.

It seems you have a connectivity issue from csirt-ws01 to the indexer's host. Please verify that first.

Thank you.