Export of alerts or logs in Wazuh

From Notes_Wiki
Revision as of 12:50, 2 July 2025 by Bhargava (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Home > Wazuh > Export of alerts or logs in Wazuh

How to Export Alerts and Logs in CSV Format from the Wazuh Dashboard

Steps

  1. Log in to the Wazuh Dashboard.
  2. Click on the Menu option.
  3. Navigate to Threat Intelligence → Threat Hunting and click on Events.
  4. To export alerts related to a specific agent:
    • Click on Explore Agent and select the desired agent.
  5. To filter data for a specific time range:
    • Click on the calendar symbol and select the required period (e.g., Last 24 hours, Last 7 days, Last 30 days, or Last 90 days).
    • You can further refine the data using the Add Filter option to filter by fields such as:
      • Agent ID
      • Agent Name
      • Source IP
      • Destination IP
  6. Choose the type of data you want to export:
    • In the top-right corner, select:
      • wazuh-alerts to export alert data.
      • wazuh-archives to export log data.
  7. Select the fields to include in the export:
    • Click on the Available Fields option below the graph.
    • Choose the fields you wish to export.
  8. Click on the Export Formatted option to export the data in CSV format.
  9. A CSV file will be downloaded containing the selected alerts or logs based on your configuration.

Notes

  • Use filtering options effectively to extract relevant data.
  • Ensure you have the necessary permissions to access and export alert/log data.

How to Export Alerts and Logs from Wazuh Manager

This article explains how to export alert logs (`wazuh-alerts.json`) and archived logs (`archives.log`) from a Wazuh manager for analysis, backup, or migration purposes.

Overview

Wazuh stores event data in two primary locations:

  • Alerts: `/var/ossec/logs/alerts/alerts.json`
  • Archives: `/var/ossec/logs/archives/archives.json`

These logs can be exported for compliance, incident response, offline analysis, or forwarding to other platforms.

Exporting Alerts

1. Locate the alerts file

The default alert file is: /var/ossec/logs/alerts/alerts.json

2. Export alerts to another machine

You can use `scp` (secure copy) to export alerts: ```bash scp /var/ossec/logs/alerts/alerts.json user@destination_ip:/path/to/store/

Example: scp /var/ossec/logs/alerts/alerts.json analyst@192.168.1.50:/data/wazuh/alerts/

3. Compress before exporting (optional)

To reduce file size: gzip -c /var/ossec/logs/alerts/alerts.json > alerts.json.gz scp alerts.json.gz user@destination_ip:/path/to/store/

Exporting Archives

1. Locate the archives file

The archive logs are stored at: /var/ossec/logs/archives/archives.json

2. Export using scp

scp /var/ossec/logs/archives/archives.json user@destination_ip:/path/to/store/

3. Compress and export

gzip -c /var/ossec/logs/archives/archives.json > archives.json.gz scp archives.json.gz user@destination_ip:/path/to/store/

Notes

   • Make sure the destination machine has SSH access enabled and sufficient permissions.
   • Use a secure file transfer method if logs contain sensitive data.
   • For scheduled exports, use cron with a script to automate the process.
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Export_of_alerts_or_logs_in_Wazuh&oldid=8985"