Logs filled up disk space

[Brad Nelson]

Hi,

Im a total noob at Wazuh. Im learning more and more each day but currently, i ran out of disk space due to wazuh and now I cant bring up the admin console. Is there a command I can run to clean up the logs or indices. i ran du -hsx -- * | sort -rh | head -10 and found the wazuh-indexer is using up 40GB, how can I shrink that down?

Any help would be greatly appreciated

[Javier Sanchez Gil]

Hi Brad Nelson,

First of all, thank you for using Wazuh!

You can free up space by performing log cleaning periodically in the specified directories: /var/ossec/logs/alerts/ and /var/ossec/logs/archives/

In the following link that I am going to provide you with, the user has the same situation and they provide assistance regarding it:

https://github.com/wazuh/wazuh/issues/11128

Please follow it, and if you have any doubts or questions, let me know!

[Brad Nelson]

Hi Javier,

Thanks for the reply, its nice to meet you. I ran the corn and it cleared out a few gigs of storage, but almost all my space being filled up is located in /var/lib/wazuh-indexer and it is still at 39gb of storage. What else can I try?

[Javier Sanchez Gil]

The path /var/lib/wazuh-indexer contains the indexes with the information of the alerts ( wazuh-alerts-4.x-YYYY.MM.DD ) and other internal information like statistics and monitoring of process etc.

You can define a period of retention of these indexes to manage the disk space, on the following blog you have a complete explanation of this index management.
https://wazuh.com/blog/wazuh-index-management/

One important thing to mention is that you always need to manage the indexes through the API management or Wazuh-indexer, never should be deleted or modified from the CLI console of the server, due to could generate some inconsistencies.

If you need to list the indexes and check the size you can execute the following from Menu --> Management --> Dev Tool
To list all indeces

GET /_cat/indices?v=true&s=index

Or if you need only the wazuh-alerts

GET /_cat/indices/wazuh-alerts-*?v=true&s=index

To delete one execute the following

DELETE wazuh-alerts-4.x-2023.02.06

But I recommend you define policies to delete according to a period of retention.

[Brad Nelson]

Thanks for the reply. I reviewed your link but I don't have ElasticSearch as an option. Is it required?

[Javier Sanchez Gil]

Hi Brad Nelson,

No, ElasticSearch is not necessary. You can do it directly from the Wazuh dashboard!

Let me know if you have any questions!

[Brad Nelson]

Javier,

On the link you had me click on, when i view the screenshots, my setup doesn't have Kibana or ElasticSearch installed so I can't follow the instructions they are providing. If I can do it from the wazuh dashboard, do you have an article that illustrates that?

---

From: 'Javier Sanchez Gil' via Wazuh | Mailing List <wa...@googlegroups.com>
Sent: Wednesday, April 3, 2024 3:11 AM
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: Logs filled up disk space

 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/oU8vwRd16ds/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/25a77c86-6e9a-4e46-bc19-b1fcceefad14n%40googlegroups.com.

[Javier Sanchez Gil]

Hi Brad,

Sorry for the wait!

Of course, here's how you can do it step by step following the Wazuh documentation:

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/index-life-management.html

Let me know if you have any questions!