loss of logs in February
Tengku Arya Saputra
I experienced log loss in February. In the logs at /var/ossec/logs/archives, there is only .sum.
How can I restore the data?
Enrique Araque Espinosa
Hello,
The presence of .sum files without their corresponding .log.gz or .log files usually indicates that the logs have been removed or moved from the local storage, as Wazuh itself does not delete these archives, it only rotates and compresses them to save space. You can find more details on how this process works in the official documentation: documentation.wazuh.com/current/user-manual/manager/event-logging.html#log-compression-and-rotation.
If the files are missing from the /var/ossec/logs/archives directory and you do not have a filesystem backup, they cannot be restored to that specific folder. However, you might still be able to access the data through the Wazuh Dashboard if you had the logall or logall_json option enabled. If your manager was configured to send these archives to the indexer, the events are stored in the wazuh-archives-* indices. Once logs are processed and ingested into the indexer, they remain available in the Dashboard even if the source files in the archives directory are deleted. I recommend checking the Discover tab in your Dashboard and selecting the wazuh-archives-* index pattern for the February timeframe.
If you find that the archives were not indexed or the option was disabled, I suggest enabling these features to prevent future data loss. You can follow this guide to ensure all events are stored at documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving and find the steps to search these events in the UI at documentation.wazuh.com/current/user-manual/manager/event-logging.html#visualizing-the-events-on-the-dashboard.
Tengku Arya Saputra
But does it really take a long time to recover the data? Is there a faster way to do it?
My method takes 3 hours, only 1 day.
Enrique Araque Espinosa
Hello,
It is normal for this process to take a significant amount of time given the volume of logs typically stored in these files. Keep in mind that once logs are processed and stored in the indexer, it is not strictly necessary to keep them on the manager unless you require a manual backup, allowing you to save considerable disk space. Files in the archives directory can grow very large because they store every single event, regardless of whether it triggered an alert or not.
Additionally, you should consider that alerts and archives are normally indexed through Filebeat using a specific ingest pipeline. By indexing them manually via curl, you might be bypassing this pipeline and losing important data transformations or field mappings.
I recommend checking out this blog post, which explains how to extract alerts to a file and configure Filebeat to read from it. This method ensures that the data passes through the proper pipeline and is indexed correctly: wazuh.com/blog/recover-your-data-using-wazuh-alert-backups
Regards