Deleting Shards Manually in Wazuh
From Notes_Wiki
Home > Wazuh > Deleting Shards Manually in Wazuh
Deleting Shards Manually in Wazuh
Introduction
Over time, Wazuh can accumulate a large number of index shards, especially for alerts and archives. By default, Wazuh-Indexer may contain up to 1000 indexes. To manage storage effectively, it's sometimes necessary to manually delete older indexes, specifically those related to alerts and archives.
Prerequisites
- Access to Wazuh Dashboard with **admin** credentials.
- Ensure you only delete the following types of indexes:
- wazuh-alerts-*
- wazuh-archives-*
- All deletions are permanent and should be done with caution.
Steps to Delete Indexes Manually
1. Login to Wazuh Dashboard
- Open your browser and navigate to the Wazuh Dashboard URL.
- Enter your **admin** username and password.
- In the dashboard, go to:
Menu > Indexer Management > Index Management > Indexes
- This will open the **Indexes** window, where all existing indexes in your Wazuh-Indexer are listed.
3. Identify the Indexes
- Use the search bar at the top of the Indexes window to filter index names.
- Common index patterns include:
wazuh-statistics-*
wazuh-states-vulnerabilities-wazuh-manager
wazuh-monitoring-*
wazuh-archives-4.x-*
wazuh-alerts-4.x-*
- Only focus on:
wazuh-alerts-*
wazuh-archives-*
4. Select Indexes to Delete
- In the search results, select the checkboxes next to the indexes you want to delete.
- Ensure that you select only **old indexes** that are no longer needed.
5. Delete the Selected Indexes
- After selecting the desired indexes, click on the Actions button located in the top-right corner of the window.
- From the dropdown, click on the Delete option.
6. Confirm Deletion
- A **Delete Indexes** confirmation dialog box will appear.
- In the confirmation field, type:
delete
- Click the **Delete** button to permanently delete the selected indexes.
Notes
- Index deletions are irreversible.
- Be cautious not to delete active or recent indexes.
- Deleting old shards helps free up disk space and maintain optimal performance.
Consequences of Deleting Non-Alert/Archive Indexes in Wazuh
Overview
Wazuh uses various indexes to store alerts, logs, system state, statistics, and other operational data. While it is safe to delete old `wazuh-alerts-*` and `wazuh-archives-*` indexes to manage disk space, deleting other indexes can break essential functionality.
Safe to Delete Indexes
- wazuh-alerts-*
- Stores processed alerts generated by Wazuh rules.
- Safe to delete when old and no longer needed.
- wazuh-archives-*
- Stores archived raw logs.
- Can be deleted periodically to free up space.
Unsafe to Delete Indexes
wazuh-monitoring-*
- Contains internal Wazuh monitoring data.
- Tracks agent status, system metrics, and health checks.
- Impact: Dashboard components related to system monitoring may stop functioning or display "No data available".
wazuh-statistics-*
- Stores statistical summaries and aggregated event data.
- Used in dashboards showing trends and metrics.
- Impact: Graphs and statistics panels will break or become blank.
wazuh-states-vulnerabilities-*
- Tracks the state of vulnerabilities detected on endpoints.
- Used by the Vulnerability Detection module.
- Impact: Loss of vulnerability data; module may show empty results or errors.
wazuh-agent-* / wazuh-cluster-*
- Used internally to track agent configurations, state, and cluster node communication.
- Impact: Agents may lose connection/state; cluster operations may fail or become unstable.
General Risks
- Loss of critical functionality in the Wazuh dashboard.
- Permanent loss of operational or security-related data.
- Modules and widgets may display errors or no data.
Best Practices
- Only delete:
- `wazuh-alerts-*`
- `wazuh-archives-*`
- Always verify the index date or suffix before deletion.
- Consider automating retention policies using Index Lifecycle Management (ILM) if supported.