Storage monitoring and alerts in Wazuh
38 views
Skip to first unread message
하프사
Sep 15, 2025, 8:49:10 AM (7 days ago) Sep 15
to Wazuh | Mailing List
Hello,
I would like to know if there is any default configuration in Wazuh for:
-
Controlling the storage usage of the Wazuh manager and indexer (archives, logs, etc.),
-
Monitoring memory and CPU usage,
-
Generating alerts when these exceed a certain threshold.
Thanks in advance for your help!
Olamilekan Abdullateef Ajani
Sep 15, 2025, 9:50:30 AM (7 days ago) Sep 15
to Wazuh | Mailing List
Hello,
To monitor the Wazuh instance server's resource usage, you do not need to install the Wazuh agent on it. The Wazuh Manager includes a built-in agent, which can be used for self-monitoring.
After completing the setup as outlined in the Wazuh blog, you should be able to visualize the Wazuh Manager's resource usage directly in a custom Wazuh dashboard.
You may want to look into wazuh ILM policy to manage storage usage in your environment. This helps you optimize the wazuh indexer cluster performance by controlling the lifecycle on an index.
Another means for the wazuh server is log rotation, by default logs are stored in the /var/ossec/logs/ and are rotated daily and archived, you can see attached screenshot. Depending on what could be eating up into your storage, you can turn off archives. Archives stores logs indefinitely weather they trigger an alert or not.
To do this, just navigate to the wazuh server ossec.conf file and turn it off with the config block below:
<global>
<logall>no</logall> <!-- If yes, archives.log grows very large -->
<logall_json>no</logall_json>
</global>
this can save you lot of disk space.
To do this, just navigate to the wazuh server ossec.conf file and turn it off with the config block below:
<global>
<logall>no</logall> <!-- If yes, archives.log grows very large -->
<logall_json>no</logall_json>
</global>
this can save you lot of disk space.
I would recommend reviewing the Wazuh Linux system monitoring documentation for steps to monitor the Manager's resource consumption. Instead of using the default rules from the Wazuh blog, you can use the following custom rules to monitor CPU, memory, disk, and load usage:
<group name="performance_metric,">
<!-- CPU, Memory and Disk usage -->
<rule id="100054" level="3">
<decoded_as>general_health_check</decoded_as>
<description>CPU | MEMORY | DISK usage metrics</description>
</rule>
<!-- High memory usage -->
<rule id="100055" level="12">
<if_sid>100054</if_sid>
<field name="memory_usage_%" type="pcre2">^[8-9]\d|100</field>
<description>Memory usage is high: $(memory_usage_%)%</description>
<options>no_full_log</options>
</rule>
<!-- High CPU usage -->
<rule id="100056" level="12">
<if_sid>100054</if_sid>
<field name="cpu_usage_%" type="pcre2">^[8-9]\d|100</field>
<description>CPU usage is high: $(cpu_usage_%)%</description>
<options>no_full_log</options>
</rule>
<!-- High disk usage -->
<rule id="100057" level="12">
<if_sid>100054</if_sid>
<field name="disk_usage_%" type="pcre2">[7-9]\d|100</field>
<description>Disk space is running low: $(disk_usage_%)%</description>
<options>no_full_log</options>
</rule>
<!-- Load average check -->
<rule id="100058" level="3">
<decoded_as>load_average_check</decoded_as>
<description>load average metrics</description>
</rule>
<!-- memory check -->
<rule id="100059" level="3">
<decoded_as>memory_check</decoded_as>
<description>Memory metrics</description>
</rule>
<!-- Disk check -->
<rule id="100060" level="3">
<decoded_as>disk_check</decoded_as>
<description>Disk metrics</description>
</rule>
</group>
<!-- CPU, Memory and Disk usage -->
<rule id="100054" level="3">
<decoded_as>general_health_check</decoded_as>
<description>CPU | MEMORY | DISK usage metrics</description>
</rule>
<!-- High memory usage -->
<rule id="100055" level="12">
<if_sid>100054</if_sid>
<field name="memory_usage_%" type="pcre2">^[8-9]\d|100</field>
<description>Memory usage is high: $(memory_usage_%)%</description>
<options>no_full_log</options>
</rule>
<!-- High CPU usage -->
<rule id="100056" level="12">
<if_sid>100054</if_sid>
<field name="cpu_usage_%" type="pcre2">^[8-9]\d|100</field>
<description>CPU usage is high: $(cpu_usage_%)%</description>
<options>no_full_log</options>
</rule>
<!-- High disk usage -->
<rule id="100057" level="12">
<if_sid>100054</if_sid>
<field name="disk_usage_%" type="pcre2">[7-9]\d|100</field>
<description>Disk space is running low: $(disk_usage_%)%</description>
<options>no_full_log</options>
</rule>
<!-- Load average check -->
<rule id="100058" level="3">
<decoded_as>load_average_check</decoded_as>
<description>load average metrics</description>
</rule>
<!-- memory check -->
<rule id="100059" level="3">
<decoded_as>memory_check</decoded_as>
<description>Memory metrics</description>
</rule>
<!-- Disk check -->
<rule id="100060" level="3">
<decoded_as>disk_check</decoded_as>
<description>Disk metrics</description>
</rule>
</group>
Please let me know if these meets your requirements or you require additional information on this.
Ref:
하프사
Sep 16, 2025, 8:30:18 AM (6 days ago) Sep 16
to Wazuh | Mailing List
Thank you Olamilekan,
This is precisely what I needed.
Reply all
Reply to author
Forward
0 new messages