Wazuh keep a maximum of 60 days of information

[Daniel Hinojo]

Good morning Dear, a query how can I configure my wazuh so that when I have information of 60 days it begins to eliminate this in order to free up space. please your support. Thank you  

[elw...@wazuh.com]

Hello Daniel,

You can define a cronjob on your Wazuh manager server to remove data older than 60 days as follows:

• Edit cron job file : crontab -e
  
  
• Add the command : 45 0 * * * find /var/ossec/logs/ -name "*.gz" -type f -mtime +60 -exec rm -f {} \;  It will delete all compressed files under /var/ossec/logs that have not been modified in the last 60 days, every day at 00:45.
  

Hope it helps,

Regards,
Wali

[Davide Bozzelli]

Hi

I think he means elk data too, which is the n.1 disk space consumer. 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/eadb1ec2-1c83-4fe3-82ea-add325d156d8n%40googlegroups.com.

[elw...@wazuh.com]

Hello Davide,

If he is referring to the data in Elasticsearch, Index Lifecycle Management can be implemented as described thoroughly here https://wazuh.com/blog/wazuh-index-management/.  He would need to specify only the delete phase to keep 60 days.

Hope it helps,

Regards,
Wali

[Daniel Hinojo]

Thanks for your answer to all, with this link I can free up space on my disk of all the history of both elastic and ossec log?  

[elw...@wazuh.com]

Hello Daniel,

The guide from the link is for Elastic and the first answer with cronjob is for Wazuh/ossec alerts/logs.

Regards,
El Wali

[Daniel Hinojo]

Good morning Dear, I'm trying to do what they tell me according to the blog https://wazuh.com/blog/wazuh-index-management/, but I can't find the Index Lifecycle Policies path, I'm currently using Wazuh 4.0, please if you could help me

 and Another query when deleting log from / records Wazuh / ossec is also necessary to delete in the Elastic index?  

[elw...@wazuh.com]

Hello Daniel,

I am not sure what you are referring to by the Lifecycle Policies path. As Lifecycle policies are accessible and defined using the UI, and it will be different between Opendistro and Elastic Basic :


Opendistro :





Elastic basic :





The data/alerts are stored by default in Wazuh under the path `/var/ossec/logs/alerts/`  (the reason I have provided the cronjob in my first response) and in Elasticsearch in the indices; for that deleting them should be performed in each component. 

Wazuh and Elastic stack data flow :



You can read more about the data flow here: https://documentation.wazuh.com/current/getting-started/architecture.html#communications-and-data-flow

Hope this helps.

Regards,
Wali

[Daniel Hinojo]

Thank you very much it worked for me. But I have a doubt I see that there are .log files in the location / var / ossec / logs / alerts / 2021 / Jan / They weigh a lot and have not changed for more than 30 days, that .log extension should also be removed or only the .gz?  

[Gene Comer]

For the lifecycle, might see if this helps any.  https://slashdevops.com/2020/05/13/managing-the-lifecycle-of-your-elasticsearch-indices-open-distro-for-elasticsearch/

[elw...@wazuh.com]

Hello Daniel,

You are welcome, always glad to help.

For your question, You need to tweak the cronjob command to apply a search for `.log` files as well. It would result : 45 0 * * * find /var/ossec/logs/ -name "*.gz" -o -name "*.log"  -type f -mtime +60 -exec rm -f {} \;

Hope this helps.

Regards,
Wali

[Daniel Hinojo]

Thanks a lot, I could already configure it and it works very well.