search

wazuh / wazuh-api

Wazuh - RESTful API
https://wazuh.com
GNU General Public License v2.0
69 stars 57 forks source link

Api compressed files are named using a different criteria #381

Open Phandora opened 5 years ago

Phandora commented 5 years ago
Wazuh version Install type Install method Platform
3.8.2-3814 Manager Packages Ubuntu 16.04.6 LTS

Hi, I am uploading .gz log files generated by Wazuh from the following paths to a S3 repository:

    "logs/alerts",
    "logs/api",
    "logs/archives",
    "logs/cluster",
    "logs/firewall",
    "logs/ossec"

The backup process is performed at 00:05 after .gz log files are created.

However, compressed logs are named using different criteria. 

root@wazuh-manager:/var/ossec/etc# ll /var/ossec/logs/alerts/2019/Apr/
total 20
drwxrwx--- 2 ossec ossec 4096 Apr 23 00:00 ./
drwxrwx--- 3 ossec ossec 4096 Apr 17 15:18 ../
-rw-r----- 1 ossec ossec  321 Apr 23 00:00 ossec-alerts-22.json.gz
-rw-r----- 1 ossec ossec  507 Apr 23 00:00 ossec-alerts-22.json.sum
-rw-r----- 1 ossec ossec  380 Apr 23 00:00 ossec-alerts-22.log.sum
-rw-r----- 2 ossec ossec    0 Apr 23 00:00 ossec-alerts-23.json
-rw-r----- 2 ossec ossec    0 Apr 23 00:00 ossec-alerts-23.log

root@wazuh-manager:/var/ossec/etc# ll /var/ossec/logs/api/2019/Apr/
total 12
drwxr-x--- 2 ossec ossec 4096 Apr 23 00:00 ./
drwxr-x--- 3 ossec ossec 4096 Apr 23 00:00 ../
-rw-r----- 1 ossec ossec  178 Apr 23 00:00 api-23-1.gz

Api compressed files are named using the current date in the name pattern, while the other logs are named using yesterday date. Using yesterday date makes sense because those files contains logs from yesterday.

It would be nice if all logs follow the same pattern.

Regards.