Custom index pattern

[Usman Ali]

Hello,

        I have created new custom index pattern following this

https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html

but unfortunately, I cannot see the index pattern after scrollwing down  in wazuh dashboard as shown below 

How can I resolve this issue???

Note:

1) I have created an index patterns already

2)indices are getting data

3) I am using fluent-bit because I am sending data to Graylog

4) Is filebeat is compulsory? should i configure for this ?

5) I have file beat installed but I have an error kindly see images, if filebeat is must then help me out to solve file beat issue as well

6)Why i cannot see my create index pattern in wazuh dash board?

[Openime Oniagbi]

Hi Usman,

Can you follow these steps: https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html#checking-indices-information and post the screenshot of your indices showing the index you have created?

Also, did you follow that documentation to the end?

[Usman Ali]

Hi,

    Thanks for the quick response,

initially, I created a demo indexer, and it was successfully created and shown in wazuh dashboard index pattern along with the default index pattern i.e. wazuh-alerts-*, but then I deleted it and created a new indexer with my project name, I followed all steps till  topic Using the Wazuh indexer AP and run the following command 

GET /_cat/indices/myproject-alerts-*?v

It shows me all indices including my newly created indices green

I have Opensearch installed, and the index pattern was discovered in the Opesearch dashboard as well and shows me alerts 

but when I open Wazuh dashboard it doesn't show my index pattern only shows Wazuh's default index pattern i.e. wazuh-alerts-*.

Kindly give me some brief troubleshooting step,so I can follow and resolve it ASAP, its urgent 

Right now I cannot share any screen shoot because I don't have access to my system i will have access but tomorrow, but i can assure you i have followed all steps till this command (GET /_cat/indices/myproject-alerts-*?v).

Thank you

[Openime Oniagbi]

Please try the steps in this documentation: https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html#wazuh-dashboard

Ensure to select your custom index instead of the one mentioned in the documentation.

[Usman Ali]

Hi Openime,

                 What I did right now, is I deleted wazuh-alerts-* from index patterns, and it started picking my customized index pattern, but now the problem I am facing is as follows

My index pattern has Fileds like (agent_id , agent_name, etc) I tried to change it to (agent.id , agent.name )  format in the gray log but failed, what I want to know is if there is any way to change the field of wazuh dashboard from this  (agent.id ,agent.name ) format to  (agent_id , agent_name, etc)  this format so it starts picking my complete data, now it showing me some data kindly have a look to images

Thanks you 

I am already late in my project kindly solve my issue ASAP, and share with me some steps to resolve this issue ASAP.

Thanks

[Usman Ali]

Do i need to replace all  ( "." with "_") in fields shown in the attached image or something else

[Openime Oniagbi]

What exactly are you trying to achieve?

[Usman Ali]

HI,

I want to display my data on wazuh dashboard using wazuh template by default, but my index pattern has fields with "_" separator but wazuh dashboard is using "." as a separator e.g. my index pattern field "agent_id "  but wauzh dashboard field is "agent.id" which are not matching and data is not showing on the dashboard.

Kindly go through the images I attached

 

 

Image 1 à Wazuh Dashboard where I want to display my index pattern data using wazuh template

 

Image 2 à OpenSearch discover tab showing my index pattern alerts and field

Image 3 à wazuh template field that I want to change

Image 4 à my index pattern fields

 

So I deleted wazuh-alerts-* index pattern and now I am loading my index pattern,  but half of the data is not loading due to differences in fields like manger.name (wazuh field ) but my index pattern has this field with “manger _name”  (check image 1), can I change wazuh field in the template to manager_name so dashboard can pick all of the data or some other solution.

 

Thanks

[Openime Oniagbi]

Then you should edit your custom index pattern to align with the default Wazuh values.

[Usman Ali]

How can I do this can you help me out with this?

But I observed I have to aligned wazhu dashboard values with my index pattern

I am good with any of the solution if it work for me 

Kindly must share step, how can I do that 

Thanks 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/2LYm6lZ_wDM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4de33dfd-a9b3-4301-a419-8255c110136an%40googlegroups.com.

[Openime Oniagbi]

The steps to create and use a custom index pattern are covered in this documentation: https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html#creating-custom-index-pattern

If you follow those steps, then you should not have any errors. Please look through and see if you have missed something.

[Usman Ali]

You're right, I follow exactly same steps, but problem comes with the fields name , my customize index pattern field names are separated by "_" while wazuh Field are separated by "•" and what I think this is because of for wazuh pattern data is store in indices by file beat, while in my case log is first move to graylog and then to indexer using fluent bit

So I think we have to find a solution to modified the fields name in wazuh dashboard and replace "•" by "_" , and I am 100  % sure it will work but I don't know where exactly I made to changes for dashboard, and where are dashboard files created or located 

If you can guide me in this matter to change dashboard fields value I willl be thankful to you

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/65324231-085b-43fd-ac4f-4a9fc5660589n%40googlegroups.com.

[Openime Oniagbi]

Did you download the template below and follow the steps described in the documentation?

curl -so template.json https://raw.githubusercontent.com/wazuh/wazuh/4.7/extensions/elasticsearch/7.x/wazuh-template.json

The field names are defined in that template. If you made any changes to the field names then you need to download the template again, add your custom index, and follow the steps described here.

​

[Usman Ali]

Hi

I downloaded the template and make few changes 

1) add my customized indexer

2) replace agent.id , agent.name , manager.name into  agent_id , agent_name , manager_name and follow all step shown in link you shared, kindly check image2 (my indexer shows the change as well)

3) the image 1 dashboard is still looking for manager.name. Why? do I need to make changes in wazuh manager side as well to look for manager_name instead of manager.name

4) image 3 show logs

[Openime Oniagbi]

Please stop changing the field names in the template. Just add your custom index to it.

[Usman Ali]

Than what should i do to display data on a dashboard, I have done all steps, how can I change my customized index pattern field s into wazuh index pattern fields

[Openime Oniagbi]

If you followed the steps, you won't need to change the patterns on the dashboard because the index fields are the same.

[Usman Ali]

The problem starts when I involve Graylog in my solution, 

Graylog never uses "." in the index pattern field type while wazuh uses "."

e.g.

Following are the field types of indices 

graylog filed type --> agent_id   

wazuh field type --> agent.id

which is matches, and never loads data because the wazuh dashboard looks for agent.id which he never finds due  to agent_id

[Openime Oniagbi]

I'd advise you to avoid the use of graylog, if you can.