Home > Wazuh > Deleting Shards Manually in Wazuh

Deleting Shards Manually in Wazuh

Introduction

Over time, Wazuh can accumulate a large number of index shards, especially for alerts and archives. By default, Wazuh-Indexer may contain up to 1000 indexes. To manage storage effectively, it's sometimes necessary to manually delete older indexes, specifically those related to alerts and archives.

Prerequisites

• Access to Wazuh Dashboard with **admin** credentials.
• Ensure you only delete the following types of indexes:
  • wazuh-alerts-*
  • wazuh-archives-*
• All deletions are permanent and should be done with caution.

Steps to Delete Indexes Manually

1. Login to Wazuh Dashboard

• Open your browser and navigate to the Wazuh Dashboard URL.
• Enter your **admin** username and password.

2. Navigate to Index Management

• In the dashboard, go to:

 Menu > Indexer Management > Index Management > Indexes

• This will open the **Indexes** window, where all existing indexes in your Wazuh-Indexer are listed.

3. Identify the Indexes

• Use the search bar at the top of the Indexes window to filter index names.
• Common index patterns include:
  • wazuh-statistics-*
  • wazuh-states-vulnerabilities-wazuh-manager
  • wazuh-monitoring-*
  • wazuh-archives-4.x-*
  • wazuh-alerts-4.x-*

• Only focus on:
  • wazuh-alerts-*
  • wazuh-archives-*

4. Select Indexes to Delete

• In the search results, select the checkboxes next to the indexes you want to delete.
• Ensure that you select only **old indexes** that are no longer needed.

5. Delete the Selected Indexes

• After selecting the desired indexes, click on the Actions button located in the top-right corner of the window.
• From the dropdown, click on the Delete option.

6. Confirm Deletion

• A **Delete Indexes** confirmation dialog box will appear.
• In the confirmation field, type: delete
• Click the **Delete** button to permanently delete the selected indexes.

Notes

• Index deletions are irreversible.
• Be cautious not to delete active or recent indexes.
• Deleting old shards helps free up disk space and maintain optimal performance.

Consequences of Deleting Non-Alert/Archive Indexes in Wazuh

Overview

Wazuh uses various indexes to store alerts, logs, system state, statistics, and other operational data. While it is safe to delete old `wazuh-alerts-*` and `wazuh-archives-*` indexes to manage disk space, deleting other indexes can break essential functionality.

Safe to Delete Indexes

• wazuh-alerts-*
  • Stores processed alerts generated by Wazuh rules.
  • Safe to delete when old and no longer needed.
• wazuh-archives-*
  • Stores archived raw logs.
  • Can be deleted periodically to free up space.

Unsafe to Delete Indexes

wazuh-monitoring-*

• Contains internal Wazuh monitoring data.
• Tracks agent status, system metrics, and health checks.
• Impact: Dashboard components related to system monitoring may stop functioning or display "No data available".

wazuh-statistics-*

• Stores statistical summaries and aggregated event data.
• Used in dashboards showing trends and metrics.
• Impact: Graphs and statistics panels will break or become blank.

wazuh-states-vulnerabilities-*

• Tracks the state of vulnerabilities detected on endpoints.
• Used by the Vulnerability Detection module.
• Impact: Loss of vulnerability data; module may show empty results or errors.

wazuh-agent-* / wazuh-cluster-*

• Used internally to track agent configurations, state, and cluster node communication.
• Impact: Agents may lose connection/state; cluster operations may fail or become unstable.

General Risks

• Loss of critical functionality in the Wazuh dashboard.
• Permanent loss of operational or security-related data.
• Modules and widgets may display errors or no data.

Best Practices

• Only delete:
  • `wazuh-alerts-*`
  • `wazuh-archives-*`
• Always verify the index date or suffix before deletion.
• Consider automating retention policies using Index Lifecycle Management (ILM) if supported.