When working with security operations center (SOC), Wazuh gives you powerful alerting and monitoring capabilities. By default, Wazuh focuses on alerts, but it also supports archives. This is a feature that allows you to store and access all event logs, not just alerts. Wazuh alerts only show events that trigger defined rules, but sometimes you need complete logs for deeper analysis. That’s where enabling Wazuh archives helps.

In this guide, I’ll walk you through how to enable archives in Wazuh, configure Filebeat to ship them, and visualize them in wazuh. You will able to see wazuh-archives-* in the index pattern.

Why Enable Wazuh Archives in index pattern?

While Wazuh alerts are great for spotting security issues, archives provide the full raw log history. This is invaluable for:

  • Incident response – reviewing what happened before and after an alert.
  • Forensics – digging deeper into suspicious activity.
  • Compliance audits – demonstrating complete log retention.

 

  1. Enable Wazuh Archives

Edit the Wazuh Manager configuration file:

sudo nano /var/ossec/etc/ossec.conf

Inside the <global> tag, set the following:

<logall_json>yes</logall_json>
  1. Configure Filebeat

Edit the Filebeat configuration file:

sudo nano /etc/filebeat/filebeat.yml

Enable archives under the wazuh module:

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: true   # Change to true
  1. Restart Services

Restart both services to apply changes:

sudo systemctl restart wazuh-manager
sudo systemctl restart filebeat
  1. Configure Index Pattern in Wazuh Dashboard
  • Click on the ☰ Hamburger menuDashboard Management.
  • Select Index PatternsCreate Index Pattern.
  • For the index pattern name, enter: wazuh-archives-*
  • Turn on Include system and hidden indices.
  • Choose @timestamp as the time field.
  • Click Create index pattern.

Now wazuh-archives-* will appear as an available index pattern in the Wazuh Dashboard.