Home > Wazuh > State Management Policy configuration in Wazuh for Retention

Index Retention

Security standards require keeping data available for audits for a minimum period of time. For data older than this retention period, you might want to delete it to save storage space.

You can define specific policies to handle deletions automatically. These policies can also be used for index rollovers.

Creating a Retention Policy

Step 1: Access State Management Policies

1. Click on the upper left menu icon (☰).
2. Navigate to Indexer Management.
3. Select Index Management.
4. Choose the tab State Management Policies.
5. Click on the button Create policy.
6. Select Visual editor as the configuration method.
7. Click Continue.

Step 2: Define Policy Information

• In the Policy info section:
  • Enter a unique name in the Policy ID field.

  Example: wazuh-alert-retention-policy

• • (Optional) Add a meaningful description in the Description field to clarify the policy's purpose.

Step 3: Assign ISM Template

• Click on Add template under the ISM templates section.
• Specify the index pattern to which this policy will apply.

 Example: wazuh-alerts-* 

• In the same way we can use this for archives index pattern

wazuh-archives-*

• Leave the priority as the default value (1) or set a higher value if this policy should take precedence over others.

Step 4: Add Deletion State

• Click Add state to create a state responsible for deleting old indices.
  • Enter a name for the state.

  Example: delete_alerts

• Inside this state:
  • Click Add action.
  • From the Action type dropdown, select Delete.
  • Click Add action to confirm.
  • Click Save state to save the deletion state.

Step 5: Add Initial State

• Click Add state again to define the initial state.
  • Enter a name.

  Example: initial

• Reorder the states:
  • Go to the Order tab.
  • Choose Add before and select delete_alerts.

Step 6: Add Transition Condition

• Within the initial state:
  • Click Add transition.
  • Set the Destination state to delete_alerts.
  • In the Condition section:
    • Select Minimum Index Age.
    • Enter the desired retention period.

   Example: 90d for 90 days.

• • Click Add transition.

• Click Save state to save the initial state.

Step 7: Finalize Policy

• Click Create to finalize and save the policy.
• Change the Initial State of the policy to initial if not already set.

ISM Policy States

At the end of this process, your policy should consist of:

• initial state:
  • Waits for index to reach minimum age (e.g., 90 days).
  • Transitions to delete_alerts.

• delete_alerts state:
  • Deletes the index when conditions are met.

Applying the Retention Policy to Alerts and Archives Indices

After creating your Index State Management (ISM) retention policy, you need to apply it to the relevant indices — namely, the `wazuh-alerts-*` and `wazuh-archives-*` indices.

Step-by-Step Instructions

1. Open Index Management

1. Click on the upper left menu icon (☰).
2. Navigate to Indexer Management.
3. Select Index Management.
4. Go to the Indices tab.

2. Apply Policy to Alerts Indices

1. Locate and select the indices matching the pattern wazuh-alerts-*.
2. Click on Actions → Apply policy.
3. In the Apply policy to indices dialog:
   1. Select your previously created policy (e.g., wazuh-alert-retention-policy) from the Policy ID dropdown.
   2. Click Apply to bind the policy to the selected alert indices.

3. Apply Policy to Archives Indices

1. Locate and select the indices matching the pattern wazuh-archives-*.
2. Click on Actions → Apply policy.
3. In the dialog:
   1. Again, choose your retention policy (or a separate one created for archives).
   2. Click Apply to attach the policy to the archives indices.

Notes

• You can apply the same policy to both alerts and archives if the retention period is the same.
• If you require a different retention duration for archives, create a separate ISM policy (e.g., wazuh-archives-retention-policy) and repeat the steps above.