Difference between revisions of "Deleting Shards Manually in Wazuh"
From Notes_Wiki
Sunilvarma (talk | contribs) (Created page with " Home > Wazuh > Deleting Shards Manually in Wazuh") |
Sunilvarma (talk | contribs) |
||
| Line 1: | Line 1: | ||
[[Main Page | Home]] > [[Wazuh]] > [[Deleting Shards Manually in Wazuh]] | [[Main Page | Home]] > [[Wazuh]] > [[Deleting Shards Manually in Wazuh]] | ||
= Deleting Shards Manually in Wazuh = | |||
== Introduction == | |||
Over time, Wazuh can accumulate a large number of index shards, especially for alerts and archives. By default, Wazuh-Indexer may contain up to 1000 indexes. To manage storage effectively, it's sometimes necessary to manually delete older indexes, specifically those related to alerts and archives. | |||
== Prerequisites == | |||
* Access to Wazuh Dashboard with **admin** credentials. | |||
* Ensure you only delete the following types of indexes: | |||
** '''wazuh-alerts-*''' | |||
** '''wazuh-archives-*''' | |||
* All deletions are permanent and should be done with caution. | |||
== Steps to Delete Indexes Manually == | |||
=== 1. Login to Wazuh Dashboard === | |||
* Open your browser and navigate to the Wazuh Dashboard URL. | |||
* Enter your **admin** username and password. | |||
=== 2. Navigate to Index Management === | |||
* In the dashboard, go to: | |||
<code>Menu > Indexer Management > Index Management > Indexes</code> | |||
* This will open the **Indexes** window, where all existing indexes in your Wazuh-Indexer are listed. | |||
=== 3. Identify the Indexes === | |||
* Use the search bar at the top of the Indexes window to filter index names. | |||
* Common index patterns include: | |||
** <code>wazuh-statistics-*</code> | |||
** <code>wazuh-states-vulnerabilities-wazuh-manager</code> | |||
** <code>wazuh-monitoring-*</code> | |||
** <code>wazuh-archives-4.x-*</code> | |||
** <code>wazuh-alerts-4.x-*</code> | |||
* Only focus on: | |||
** <code>wazuh-alerts-*</code> | |||
** <code>wazuh-archives-*</code> | |||
=== 4. Select Indexes to Delete === | |||
* In the search results, select the checkboxes next to the indexes you want to delete. | |||
* Ensure that you select only **old indexes** that are no longer needed. | |||
=== 5. Delete the Selected Indexes === | |||
* After selecting the desired indexes, click on the '''Actions''' button located in the top-right corner of the window. | |||
* From the dropdown, click on the '''Delete''' option. | |||
=== 6. Confirm Deletion === | |||
* A **Delete Indexes** confirmation dialog box will appear. | |||
* In the confirmation field, type: <code>delete</code> | |||
* Click the **Delete** button to permanently delete the selected indexes. | |||
== Notes == | |||
* Index deletions are irreversible. | |||
* Be cautious not to delete active or recent indexes. | |||
* Deleting old shards helps free up disk space and maintain optimal performance. | |||
= Consequences of Deleting Non-Alert/Archive Indexes in Wazuh = | |||
== Overview == | |||
Wazuh uses various indexes to store alerts, logs, system state, statistics, and other operational data. While it is safe to delete old `wazuh-alerts-*` and `wazuh-archives-*` indexes to manage disk space, deleting other indexes can break essential functionality. | |||
== Safe to Delete Indexes == | |||
* '''wazuh-alerts-*''' | |||
** Stores processed alerts generated by Wazuh rules. | |||
** Safe to delete when old and no longer needed. | |||
* '''wazuh-archives-*''' | |||
** Stores archived raw logs. | |||
** Can be deleted periodically to free up space. | |||
== Unsafe to Delete Indexes == | |||
=== wazuh-monitoring-* === | |||
* Contains internal Wazuh monitoring data. | |||
* Tracks agent status, system metrics, and health checks. | |||
* '''Impact:''' Dashboard components related to system monitoring may stop functioning or display "No data available". | |||
=== wazuh-statistics-* === | |||
* Stores statistical summaries and aggregated event data. | |||
* Used in dashboards showing trends and metrics. | |||
* '''Impact:''' Graphs and statistics panels will break or become blank. | |||
=== wazuh-states-vulnerabilities-* === | |||
* Tracks the state of vulnerabilities detected on endpoints. | |||
* Used by the Vulnerability Detection module. | |||
* '''Impact:''' Loss of vulnerability data; module may show empty results or errors. | |||
=== wazuh-agent-* / wazuh-cluster-* === | |||
* Used internally to track agent configurations, state, and cluster node communication. | |||
* '''Impact:''' Agents may lose connection/state; cluster operations may fail or become unstable. | |||
== General Risks == | |||
* Loss of critical functionality in the Wazuh dashboard. | |||
* Permanent loss of operational or security-related data. | |||
* Modules and widgets may display errors or no data. | |||
== Best Practices == | |||
* Only delete: | |||
** `wazuh-alerts-*` | |||
** `wazuh-archives-*` | |||
* Always verify the index date or suffix before deletion. | |||
* Consider automating retention policies using Index Lifecycle Management (ILM) if supported. | |||
Latest revision as of 10:43, 2 July 2025
Home > Wazuh > Deleting Shards Manually in Wazuh
Deleting Shards Manually in Wazuh
Introduction
Over time, Wazuh can accumulate a large number of index shards, especially for alerts and archives. By default, Wazuh-Indexer may contain up to 1000 indexes. To manage storage effectively, it's sometimes necessary to manually delete older indexes, specifically those related to alerts and archives.
Prerequisites
- Access to Wazuh Dashboard with **admin** credentials.
- Ensure you only delete the following types of indexes:
- wazuh-alerts-*
- wazuh-archives-*
- All deletions are permanent and should be done with caution.
Steps to Delete Indexes Manually
1. Login to Wazuh Dashboard
- Open your browser and navigate to the Wazuh Dashboard URL.
- Enter your **admin** username and password.
- In the dashboard, go to:
Menu > Indexer Management > Index Management > Indexes
- This will open the **Indexes** window, where all existing indexes in your Wazuh-Indexer are listed.
3. Identify the Indexes
- Use the search bar at the top of the Indexes window to filter index names.
- Common index patterns include:
wazuh-statistics-*wazuh-states-vulnerabilities-wazuh-managerwazuh-monitoring-*wazuh-archives-4.x-*wazuh-alerts-4.x-*
- Only focus on:
wazuh-alerts-*wazuh-archives-*
4. Select Indexes to Delete
- In the search results, select the checkboxes next to the indexes you want to delete.
- Ensure that you select only **old indexes** that are no longer needed.
5. Delete the Selected Indexes
- After selecting the desired indexes, click on the Actions button located in the top-right corner of the window.
- From the dropdown, click on the Delete option.
6. Confirm Deletion
- A **Delete Indexes** confirmation dialog box will appear.
- In the confirmation field, type:
delete - Click the **Delete** button to permanently delete the selected indexes.
Notes
- Index deletions are irreversible.
- Be cautious not to delete active or recent indexes.
- Deleting old shards helps free up disk space and maintain optimal performance.
Consequences of Deleting Non-Alert/Archive Indexes in Wazuh
Overview
Wazuh uses various indexes to store alerts, logs, system state, statistics, and other operational data. While it is safe to delete old `wazuh-alerts-*` and `wazuh-archives-*` indexes to manage disk space, deleting other indexes can break essential functionality.
Safe to Delete Indexes
- wazuh-alerts-*
- Stores processed alerts generated by Wazuh rules.
- Safe to delete when old and no longer needed.
- wazuh-archives-*
- Stores archived raw logs.
- Can be deleted periodically to free up space.
Unsafe to Delete Indexes
wazuh-monitoring-*
- Contains internal Wazuh monitoring data.
- Tracks agent status, system metrics, and health checks.
- Impact: Dashboard components related to system monitoring may stop functioning or display "No data available".
wazuh-statistics-*
- Stores statistical summaries and aggregated event data.
- Used in dashboards showing trends and metrics.
- Impact: Graphs and statistics panels will break or become blank.
wazuh-states-vulnerabilities-*
- Tracks the state of vulnerabilities detected on endpoints.
- Used by the Vulnerability Detection module.
- Impact: Loss of vulnerability data; module may show empty results or errors.
wazuh-agent-* / wazuh-cluster-*
- Used internally to track agent configurations, state, and cluster node communication.
- Impact: Agents may lose connection/state; cluster operations may fail or become unstable.
General Risks
- Loss of critical functionality in the Wazuh dashboard.
- Permanent loss of operational or security-related data.
- Modules and widgets may display errors or no data.
Best Practices
- Only delete:
- `wazuh-alerts-*`
- `wazuh-archives-*`
- Always verify the index date or suffix before deletion.
- Consider automating retention policies using Index Lifecycle Management (ILM) if supported.
