Filename format

The files are stored in a directory structure that indicates the date and time the file was delivered to the archive data.

The main path follows this format:

wazuh-cloud-cold-<REGION>/<CLOUD_ID>/<CATEGORY>[/<SUBCATEGORY>]/<YEAR>/<MONTH>/<DAY>

Each file has the following name:

<CLOUD_ID>_<CATEGORY>[_<SUBCATEGORY>]_<YYYYMMDDTHHmm>_<UniqueString>.<FORMAT>

The files include the following fields:

field

Description

<REGION>

The region where the environment is located.

<CLOUD_ID>

Cloud ID of the environment.

<CATEGORY>

This field must be output.

<SUBCATEGORY>

This field is only used by the output category and contains alerts or archives files.

<YEAR>

The year when the file was delivered.

<MONTH>

The month when the file was delivered.

<DAY>

The day when the file was delivered.

<YYYYMMDDTHHmm>

Digits of the year, month, day, hour, and minute when the file was delivered. Hours are in 24-hour format and in UTC. A log file delivered at a specific time can contain records written at any point before that time.

<UniqueString>

The 16-character UniqueString component of the file name prevents overwriting files. It has no meaning and log processing software should ignore it.

<FORMAT>

It is the encoding of the file. This field is json.gz for output files, which is a JSON text file in compressed gzip format, and tar.gz for configuration files.