Configuration

Your environment is configured by default to send the following data to cold storage:

Wazuh output

There are two types of Wazuh output files:

  • The file /var/ossec/logs/archives/archives.json contains all events whether they tripped a rule or not. This is sent to cold storage if the setting logall_json is set to yes.

  • The file /var/ossec/logs/alerts/alerts.json contains only events that tripped a rule with high enough priority, according to a configurable threshold. This is always sent to cold storage.

Both files are delivered to cold storage as soon as they are rotated and compressed. This process usually takes between 10 to 30 minutes from the moment the event is received.

There is no limit on the amount of data stored in the cold storage, but the time limit is one year. After this period of time, the data is removed.

Note

Files with .log extension are never sent to cold storage.

Wazuh configuration

Data corresponding to Wazuh configuration such us /var/ossec/etc or /var/ossec/api/configuration is compressed and backed up once a day.

Configuration backup is stored in cold storage for up to 30 days, after which it is deleted.