Script to Pull Logs from Wazuh-Manager to Local VM

From Notes_Wiki

Home > Wazuh > Script to Pull Logs from Wazuh-Manager to Local VM


Wazuh Log Pull and Cleanup Script

This script pulls logs from a remote Wazuh Manager and stores them locally. It then performs cleanup of unnecessary files to save space.

Script: pull_wazuh_logs.sh

#!/bin/bash

# === CONFIGURATION ===
SOURCE_USER="wazuhpull"
SOURCE_HOST="MANAGER-IP"  # Wazuh Manager IP
ARCHIVES_SRC="/var/ossec/logs/archives"
ALERTS_SRC="/var/ossec/logs/alerts"
DEST_BASE="/var/wazuh/log-store"

# === Function to Pull Logs ===
pull_logs() {
    local source_path="$1"
    local dest_path="$2"
    local type="$3"

    echo "Pulling $type logs from $SOURCE_HOST:$source_path to $dest_path"
    mkdir -p "$dest_path"

    rsync -az --ignore-existing "${SOURCE_USER}@${SOURCE_HOST}:${source_path}/" "${dest_path}/"
}

# === Pull Archives ===
pull_logs "$ARCHIVES_SRC" "$DEST_BASE/archives" "archives"

# === Pull Alerts (if available) ===
ssh "${SOURCE_USER}@${SOURCE_HOST}" "ls $ALERTS_SRC/20*/**/ossec-alerts-*.gz" >/dev/null 2>&1
if [ $? -eq 0 ]; then
    pull_logs "$ALERTS_SRC" "$DEST_BASE/alerts" "alerts"
else
    echo "No rotated alert logs found on Wazuh Manager."
fi

# === DELETE .log.gz AND .log.sum FILES TO SAVE SPACE ===
echo "Removing .log.gz and .log.sum files to save space..."
find "$DEST_BASE/archives" -type f \( -name "*.log.gz" -o -name "*.log.sum" \) -exec rm -f {} \;
find "$DEST_BASE/alerts" -type f \( -name "*.log.gz" -o -name "*.log.sum" \) -exec rm -f {} \;

# === DELETE .json.gz AND .json.sum FILES OLDER THAN 1 YEAR ===
echo "Cleaning up .json.gz and .json.sum files older than 1 year..."
find "$DEST_BASE/archives" -type f \( -name "*.json.gz" -o -name "*.json.sum" \) -mtime +365 -exec rm -f {} \;
find "$DEST_BASE/alerts" -type f \( -name "*.json.gz" -o -name "*.json.sum" \) -mtime +365 -exec rm -f {} \;

# === REMOVE EMPTY FOLDERS ===
echo "Removing empty directories..."
find "$DEST_BASE/archives" -type d -empty -delete
find "$DEST_BASE/alerts" -type d -empty -delete

How to Run the Script

  • To run the code, either make the file executable or use bash.
  • Below is the way to run it:

Option 1: Make it Executable

chmod +x pull_wazuh_logs.sh
./pull_wazuh_logs.sh

Option 2: Run Using Bash

bash pull_wazuh_logs.sh

Notes

  • Ensure SSH key-based authentication is configured for $SOURCE_USER to avoid password prompts.
  • Adjust file paths, retention periods, and host IPs according to your environment.
  • The script avoids pulling already existing files using --ignore-existing in rsync.
  • The cleanup section removes old logs and empty directories to save storage space.