What is the impact if the logs on the Wazuh server are moved to another place?
147 views
Skip to first unread message
Juan Ferdinan
Mar 13, 2023, 3:27:47 AM3/13/23
to Wazuh mailing list
Hi Wazuh Teams,
Currently, my wazuh server storage is already using 93%. After checking, the most usage is in the folder:
/var/lib/wazuh-indexer/nodes/0/indices -> 396G
/var/ossec/logs/archives -> 374G
Can I move these logs to another storage location? And is there any impact on wazuh?
Thanks & Regards
Juan
mayte...@wazuh.com
Mar 13, 2023, 4:52:19 AM3/13/23
to Wazuh mailing list
Hi Juan Ferdinan,
The /var/lib/wazuh-indexer/nodes/0/indices contains the indices in which the data related to the events and alerts generated are indexed.
The /var/ossec/logs/archives folder contains the generated events (and the /var/ossec/logs/alerts folder contains the alerts triggered by these events).
Regarding archives, you should preserve the following files or directories (some of them may not be present depending on the configuration) to ensure the service works properly:
Regarding the /var/lib/wazuh-indexer/nodes/0/indices folder, you may perform a snapshot and then delete the indices. The files cannot be moved directly because it may corrupt the data.
You can skip the snapshot and use the recovery.py script (you will require the alerts and/or archives files) in case you want to recover the alerts, but the process will be slower than if you directly restore the snapshot (and an additional backup would be available).
Please note that deleting the indexes will result in the loss of the data indexed in Wazuh indexer (alerts and events), so please be careful when removing indices and keep in mind your own legal and regulatory requirements.
I hope it helps. Please, keep us updated.
Best regards
The /var/lib/wazuh-indexer/nodes/0/indices contains the indices in which the data related to the events and alerts generated are indexed.
The /var/ossec/logs/archives folder contains the generated events (and the /var/ossec/logs/alerts folder contains the alerts triggered by these events).
Regarding archives, you should preserve the following files or directories (some of them may not be present depending on the configuration) to ensure the service works properly:
- /var/ossec/logs/archives/archives.json
- /var/ossec/logs/archives/archives.log
- The directory tree structure for at least the current month, /var/ossec/logs/archives/2023/Mar/, and the current files that are being populated with events
Regarding the /var/lib/wazuh-indexer/nodes/0/indices folder, you may perform a snapshot and then delete the indices. The files cannot be moved directly because it may corrupt the data.
You can skip the snapshot and use the recovery.py script (you will require the alerts and/or archives files) in case you want to recover the alerts, but the process will be slower than if you directly restore the snapshot (and an additional backup would be available).
Please note that deleting the indexes will result in the loss of the data indexed in Wazuh indexer (alerts and events), so please be careful when removing indices and keep in mind your own legal and regulatory requirements.
I hope it helps. Please, keep us updated.
Best regards
Reply all
Reply to author
Forward
0 new messages