Configuration
Your environment is configured by default to send Wazuh output files to cold storage.
There are two types of Wazuh output files:
The file
/var/ossec/logs/archives/archives.json
contains all events whether they tripped a rule or not. This is sent to cold storage if the settinglogall_json
is set toyes
.The file
/var/ossec/logs/alerts/alerts.json
contains only events that tripped a rule with high enough priority, according to a configurable threshold. This is always sent to cold storage.
Both files are delivered to cold storage as soon as they are rotated and compressed. This process usually takes between 10 to 30 minutes from the moment the event is received.
There is no limit on the amount of data stored in the cold storage, but the time limit is one year. After this period of time, the data is removed.
Note
Files with a .log
extension are never sent to cold storage.