Indexing previously unindexed Wazuh logs

10 views

Skip to first unread message

하프사

unread,

Dec 29, 2025, 11:12:07 AM (2 days ago) Dec 29

to Wazuh | Mailing List

Hello Community,

I am facing an issue related to historical Wazuh archives/alerts that were not indexed due to the limit of shard in each node.

Context:

Wazuh Manager was running and generating logs correctly.
Alerts are present on disk : /var/ossec/logs/alerts/2025/Dec/ossec-alerts-*.json

As a result, there are no corresponding wazuh-{archives/alerts}-* indices for the last 2 days.

Current situation:

I would like to ingest or reindex these historical .json alert files so they appear correctly in Wazuh Dashboard.

I want to know is there any recommended approach to re-ingest historical json files?

Any guidance, documentation, or best practices would be greatly appreciated.

Thank you in advance for your help.

Best regards,

lucas....@wazuh.com

unread,

Dec 29, 2025, 12:05:24 PM (2 days ago) Dec 29

to Wazuh | Mailing List

Hello,

I hope you're well.

There is an official Wazuh blog post that has come in handy in the past, showing how to recover and re-ingest alert backups.

Please have a look here: https://wazuh.com/blog/recover-your-data-using-wazuh-alert-backups/

I've quickly checked and found this previous community thread where someone shared a script to unzip historical ossec-alerts files and re-send them for indexing. It could be useful to have some samples as well. Please have a look here: https://groups.google.com/g/wazuh/c/ePAHRnx0EAQ

Let me know if this helps.

Regards,

Reply all

Reply to author

Forward

0 new messages