Delete old records
2,359 views
Skip to first unread message
gustavo rodriguez
Oct 28, 2022, 11:00:05 AM10/28/22
to Wazuh mailing list
Hello community, how are you?
What is the best way to delete old logs/data, to free up storage on our wazuh server?
What is the best way to delete old logs/data, to free up storage on our wazuh server?
Nicolas Agustin Guevara Pihen
Oct 28, 2022, 12:50:12 PM10/28/22
to Wazuh mailing list
Hello Gussr, thank you for using Wazuh!
There are logs stored in Wazuh server and in Elasticearch/Wazuh-indexer. I will explain the different ways of freeing up space.
Elasticsearch/Wazuh-indexer logs:
To free up space in the Elasticsearch or Wazuh indexer server, you need to delete old indices. This can be done through the API, from the web interface.
Open the side menu and go to Dev Tools
Inside that option, you will see a console where you can write commands and run them with a green triangle at the right side. In this case, you will want to delete indices with, for example, DELETE wazuh-alerts-4.x-2022.10* . Note that you can use wildcards. The command of the example will delete all wazuh-alerts indices from the current month.
It is also possible to run those comands without accessing the web interface. To do that you can send requests to the server API from a terminal with this format>
Additionally, you can configure a retention policy to move indices to cold storage or delete them automatically after some time. This will allow you, for example, to have only logs from the last three months. You can see more information about that process in this blog. If you have a license of Elasticsearch, you should follow the Elastic ILM steps. If you have Opendistro or Wazuh-indexer, you should follow the OpenDistro ISM steps.
Wazuh Server logs:
Wazuh by default stores its alerts on /var/ossec/logs/alerts folder. Inside that, there are two files (alerts.json and alerts.log) that contains only the alerts of the current day. There are also folders that contains the logs of other days compressed. There are ordered by year and month. It is possible to just delete some of those folders without issues and thus free up space. Note that the deletion of those folders is irreversible, and you will not be able to recover them after that.
Additionally, if the option logall or logall.json is enabled on the manager's ossec.conf, Wazuh will store the archives in /var/ossec/logs/archives with the same structure of the alerts logs. These logs contains every log that has reached the manager, regardless if an alert was generated or not, and for that reason they will use more space than the alert logs. It is recommended to disable the logall or logall_json options unless you need them, to reduce the storage requirements of the Manager.
I hope you find this information helpful. Let me know if you have any questions or doubts.
Kind regards,
There are logs stored in Wazuh server and in Elasticearch/Wazuh-indexer. I will explain the different ways of freeing up space.
Elasticsearch/Wazuh-indexer logs:
To free up space in the Elasticsearch or Wazuh indexer server, you need to delete old indices. This can be done through the API, from the web interface.
Open the side menu and go to Dev Tools
Inside that option, you will see a console where you can write commands and run them with a green triangle at the right side. In this case, you will want to delete indices with, for example, DELETE wazuh-alerts-4.x-2022.10* . Note that you can use wildcards. The command of the example will delete all wazuh-alerts indices from the current month.
It is also possible to run those comands without accessing the web interface. To do that you can send requests to the server API from a terminal with this format>
curl -X DELETE 'https://<your_elastic_address>:<your_elastic_port>/wazuh-alerts-4.x-2022.10.*' -u <your_elastic_username>:<your_elastic_password> -k
For example: curl -X DELETE 'https://localhost:9200/wazuh-alerts-4.x-2022.10.*' -u elastic:MyElasticSecretPassword -k
Additionally, you can configure a retention policy to move indices to cold storage or delete them automatically after some time. This will allow you, for example, to have only logs from the last three months. You can see more information about that process in this blog. If you have a license of Elasticsearch, you should follow the Elastic ILM steps. If you have Opendistro or Wazuh-indexer, you should follow the OpenDistro ISM steps.
Wazuh Server logs:
Wazuh by default stores its alerts on /var/ossec/logs/alerts folder. Inside that, there are two files (alerts.json and alerts.log) that contains only the alerts of the current day. There are also folders that contains the logs of other days compressed. There are ordered by year and month. It is possible to just delete some of those folders without issues and thus free up space. Note that the deletion of those folders is irreversible, and you will not be able to recover them after that.
Additionally, if the option logall or logall.json is enabled on the manager's ossec.conf, Wazuh will store the archives in /var/ossec/logs/archives with the same structure of the alerts logs. These logs contains every log that has reached the manager, regardless if an alert was generated or not, and for that reason they will use more space than the alert logs. It is recommended to disable the logall or logall_json options unless you need them, to reduce the storage requirements of the Manager.
I hope you find this information helpful. Let me know if you have any questions or doubts.
Kind regards,
Reply all
Reply to author
Forward
0 new messages