Filename format

The files are stored in a directory structure that indicates the date and time the file was delivered to the archive data.

The main path follows this format:

wazuh-cloud-cold-<region>/<CLOUD_ID>/<category>[/<subcategory>]/<year>/<month>/<day>

Each file has the following name:

<CLOUD_ID>_<category>[_<subcategory>]_<YYYYMMDDTHHmm>_<UniqueString>.<format>

The files include the following fields:

field

Description

<region>

The region where the environment is located.

<cloud_id>

Cloud ID of the environment.

<category>

This field must be output.

<subcategory>

This field is only used by the output category and contains alerts or archives files.

<year>

The year when the file was delivered.

<month>

The month when the file was delivered.

<day>

The day when the file was delivered.

<YYYYMMDDTHHmm>

Digits of the year, month, day, hour, and minute when the file was delivered. Hours are in 24-hour format and in UTC. A log file delivered at a specific time can contain records written at any point before that time.

<UniqueString>

The 16-character UniqueString component of the file name prevents overwriting files. It has no meaning and log processing software should ignore it.

<format>

It is the encoding of the file. This field is json.gz for output files, which is a JSON text file in compressed gzip format, and tar.gz for configuration files.