Script to Pull Logs from Wazuh-Manager to Local VM
From Notes_Wiki
Home > Wazuh > Script to Pull Logs from Wazuh-Manager to Local VM
Wazuh Log Pull and Cleanup Script
This script pulls logs from a remote Wazuh Manager and stores them locally. It then performs cleanup of unnecessary files to save space.
Script: pull_wazuh_logs.sh
#!/bin/bash # === CONFIGURATION === SOURCE_USER="wazuhpull" SOURCE_HOST="MANAGER-IP" # Wazuh Manager IP ARCHIVES_SRC="/var/ossec/logs/archives" ALERTS_SRC="/var/ossec/logs/alerts" DEST_BASE="/var/wazuh/log-store" # === Function to Pull Logs === pull_logs() { local source_path="$1" local dest_path="$2" local type="$3" echo "Pulling $type logs from $SOURCE_HOST:$source_path to $dest_path" mkdir -p "$dest_path" rsync -az --ignore-existing "${SOURCE_USER}@${SOURCE_HOST}:${source_path}/" "${dest_path}/" } # === Pull Archives === pull_logs "$ARCHIVES_SRC" "$DEST_BASE/archives" "archives" # === Pull Alerts (if available) === ssh "${SOURCE_USER}@${SOURCE_HOST}" "ls $ALERTS_SRC/20*/**/ossec-alerts-*.gz" >/dev/null 2>&1 if [ $? -eq 0 ]; then pull_logs "$ALERTS_SRC" "$DEST_BASE/alerts" "alerts" else echo "No rotated alert logs found on Wazuh Manager." fi # === DELETE .log.gz AND .log.sum FILES TO SAVE SPACE === echo "Removing .log.gz and .log.sum files to save space..." find "$DEST_BASE/archives" -type f \( -name "*.log.gz" -o -name "*.log.sum" \) -exec rm -f {} \; find "$DEST_BASE/alerts" -type f \( -name "*.log.gz" -o -name "*.log.sum" \) -exec rm -f {} \; # === DELETE .json.gz AND .json.sum FILES OLDER THAN 1 YEAR === echo "Cleaning up .json.gz and .json.sum files older than 1 year..." find "$DEST_BASE/archives" -type f \( -name "*.json.gz" -o -name "*.json.sum" \) -mtime +365 -exec rm -f {} \; find "$DEST_BASE/alerts" -type f \( -name "*.json.gz" -o -name "*.json.sum" \) -mtime +365 -exec rm -f {} \; # === REMOVE EMPTY FOLDERS === echo "Removing empty directories..." find "$DEST_BASE/archives" -type d -empty -delete find "$DEST_BASE/alerts" -type d -empty -delete
How to Run the Script
- To run the code, either make the file executable or use bash.
- Below is the way to run it:
Option 1: Make it Executable
chmod +x pull_wazuh_logs.sh ./pull_wazuh_logs.sh
Option 2: Run Using Bash
bash pull_wazuh_logs.sh
Notes
- Ensure SSH key-based authentication is configured for
$SOURCE_USER
to avoid password prompts. - Adjust file paths, retention periods, and host IPs according to your environment.
- The script avoids pulling already existing files using
--ignore-existing
inrsync
. - The cleanup section removes old logs and empty directories to save storage space.