Wazuh Server /var keeps on filling up
32 views
Skip to first unread message
avkby445h 24
Oct 8, 2025, 2:50:00 AM (2 days ago) Oct 8
to Wazuh | Mailing List
Hello,
My Wazuh Server /var keeps on filling up and I have to delete alerts and archives in order to free up space.
I have a script job running from a Windows Server that downloads alerts and archives from a backup folder inside Wazuh Server that has symlink to /vr/ossec/logs/*.
How can I effectively manage storage inside the Wazuh Server to avoid increasing storage or deleting logs that have not been backed up.
How can I effectively manage storage inside the Wazuh Server to avoid increasing storage or deleting logs that have not been backed up.
Tweaking logrotate or the archiving timeline maybe?
jorge....@wazuh.com
Oct 8, 2025, 3:22:29 AM (2 days ago) Oct 8
to Wazuh | Mailing List
Hi avkby445h 24,
You should check which files are consuming the most.
You will find logs of 3 types:
Here are some measures you can apply:
I believe that for your case, a cron job to make a backup and delete old files should solve the problem.
You will find logs of 3 types:
- Wazuh logs: Logs that record the status of Wazuh and the actions carried out.
- Event logs (archives): Logs that record all the events received by the wazuh-server.
- Alert logs (alerts): Logs that record all alerts generated by the wazuh-server
Here are some measures you can apply:
- If Wazuh logs fill your disk: You probably have some kind of DEBUG enabled, which causes many logs per second. If yes and not necessary, then proceed to disable them from 'var/ossec/etc/local_internal_options.conf' or '/var/ossec/etc/internal_options.conf'.
- If event logging (archives) fills up your disk: By default, this logging is disabled but can be enabled by the user for debugging issues or specific use cases. It serves to log all the events received by the wazuh-server, so in case you have many agents or even a few agents reporting many events per second, it fills the disk quite fast. You can check if you have it enabled by checking 'logall' and 'logall_json' in your '/var/ossec/etc/ossec.conf' file. In case it is active, and you don't need it, disable it and restart the service.
- If logging alerts (alerts) fill your disk: In this case, you can apply some retention policy to delete old logs, or delete the logs you are not interested in.
I believe that for your case, a cron job to make a backup and delete old files should solve the problem.
Here is an example of a cron job that deletes logs older than 7 days, you could combine it with your script running in your Windows Server to first create the backup and then use the cron job to delete logs older than a week:
0 0 * * * find /var/ossec/logs/alerts/ -type f -mtime +7 -exec rm -f {} \;
0 0 * * * find /var/ossec/logs/archives/ -type f -mtime +7 -exec rm -f {} \;
avkby445h 24
Oct 8, 2025, 2:00:58 PM (2 days ago) Oct 8
to jorge....@wazuh.com, Wazuh | Mailing List
Hi Jorge,
Had left log all and logjson on yes as I was doing some debugging previously.
Have disabled them and will monitor for space depletion before using a cron job.
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/97efb703-a7d2-4c0b-8e3d-573ccdf59020n%40googlegroups.com.
jorge....@wazuh.com
Oct 9, 2025, 11:33:03 AM (yesterday) Oct 9
to Wazuh | Mailing List
Hi avkby445h 24,
Glad to hear that, If you have any other problem don't doubt to open a new thread
Reply all
Reply to author
Forward
0 new messages