How to change the index name to a manager?

[Alvaro Victoriano]

Hello Wazuh Team.

Iam trying to send the the alerts of some agents are asigned to a manager in the local network, to another Wazuh manager.

and i need those alerts of the manager that are coming of some agents to be in a diferent index.

Previously in the version 3.9.2 i could change the wazuh template from filebeat.yml, but in this version i couldnt do it.

Could you help me please to rename the index of that manager for i can seperate his alerts of the other index?

Thank you so much

[Javier Escobar]

Hi Alvaro,

Since 3.9.3 Wazuh uses a Filebeat module that manages the ingest of alerts to Elasticsearch.To change the index name you have to edit, on the manager node of your preference, the index prefix at /usr/share/filebeat/module/wazuh/alerts/manifest.yml where the default name is located.

- name: index_prefix
    default: my-custom-alerts-

Also, it's needed to edit the Wazuh template at /etc/filebeat/wazuh-template.json and add the index pattern:

"index_patterns": [
    "wazuh-alerts-3.x-*",
    "my-custom-alerts-*",
    "wazuh-archives-3.x-*"
  ],
...

Save the modifications and insert the new template into Elasticsearch. This will replace the current template:

filebeat setup --index-management -E setup.template.json.enabled=false

Remember to restart the Filebeat service to apply the changes:

systemctl restart filebeat

Optionally, if you want to use the new index pattern by default, open the Wazuh Kibana app configuration file (/usr/share/kibana/plugins/wazuh/config.yml) and modify the index pattern with the new one. It should be like this:

pattern: my-custom-alerts-*

This will let you select the new index pattern in the Wazuh app.Finally, restart Kibana service:

systemctl restart kibana

I hope it helps. Please ask us if you have any questions.Regards,
Javier

[Alvaro Victoriano]

Thank you so much Javier, Its working fine

I have another question please, Iam going to install Suricata on my network and Suricata uses filebeat,

Do you think there could be any conclusion as iam going to use filebeat 7.3.0 as Wazuh using same filebeat as well?

[jose antonio izquierdo lopez]

Hi Alvaro,

As Wazuh has Suricata rules, if you prefer, you can point Wazuh agent to read the eve.json file from your Suricata box and Wazuh will take care of Suricata output. you don't need to enable the Filebeat in your Suricata box or enable the filebeat Suricata Module 

Also, did you see our Wazuh's sister project OwlH (www.owlh.net)? It may help you to manage your Suricata probes, your Suricata Rulesets. OwlH includes Zeek support too. There are many different ways to manage traffic capture, transport, and analysis that OwlH will help with. OwlH takes care of field normalization and has its own module for filebeat so you will see Suricata alerts in your Wazuh indices as well you will find different indices for traffic analysis like connections, DNS, Http/ssl, and other protocols. 

Happy to help you to test it with your Suricata deployment. Just let us know.

Thanks,

Jose Antonio Izquierdo 

jizqu...@owlh.io

jizqu...@wazuh.com

[Alvaro Victoriano]

Hello Jose

Thank you so much for your hlpe, few days ago i checked your project when i was looking for how to integrate suricata with Wazuh.

About those steps of installing the agent where suricata is and send the logs to the manager i allready done them without problems, adn the rules working fine.

What i have for now, Kibana Dashboard for suricata (Alerts and Events) to visulize the output of suricata by Filebeat index, so that was my question, Could diferent filebeat send to same elastic for diferent indexes, is correct? the first filebeat is of Wazuh and the second which is in another machine is for Suricata.

Thank you again Jose

[jose antonio izquierdo lopez]

Hi Alvaro, 

Yep, Suricat module in filebeat is thought to run filebeat on each Suricata node and allow filebeat to read directly the Suricata output (eve.json or current/*.log if Zeek). this information will be sent to ELK in a different index than the wazuh one, and Wazuh won't manage the logs. 

We try to keep the NIDS info in 'Wazuh data flow', by including everything as an alert and after manager then we decide what is the right index to store Suricata alerts or other statistical traffic like flows, conn, dns, etc... This allows a global normalization for fields like src and dst ip and port from Suricata and Zeek, an easier way to search across different data from any source, and of course, we don't kill Wazuh-alerts-1.x-* indices with unuseful information from stats, flows, conn, dns, etc... 

  

What we also do, is create the dashboards for NIDS using the information in wazuh index (Suricata alerts) and the indices that will be created for traffic statistics Conn, DNS, etc.

Does it make sense? 

Thanks a lot, Alvaro,

Thanks,

Jose Antonio Izquierdo 

jizqu...@owlh.io

jizqu...@wazuh.com

[Alvaro Victoriano]

Thats awesome Jose, thank you for the clarification

[Alvaro Victoriano]

Another question Javier please.

what about the index wazuh-monitoring, with the revious steps it should be generated? because it didnt appear for me.

about this step:

filebeat setup --index-management -E setup.template.json.enabled=false

Will will replace the current template of wazuh-alerts-3.x-* right? but allready my index "My-Custom-Alerts-*", been generated before this step, so what the need of this step i couldnt understand it could you explain to me please?

thanks

[Javier Escobar]

Hi Alvaro,

'wazuh-monitoring' is an index created by the Wazuh app to monitor the status of the agents. Let's check the app logs to see what happens. Can you execute the following commands and share the output?

cat /usr/share/kibana/optimize/wazuh-logs/wazuhapp.log | grep -i -E "monitoring"
cat /usr/share/kibana/optimize/wazuh-logs/wazuhapp.log | grep -i -E "error|warn"

The Filebeat command loads the modified template, that includes your new index pattern, to Elasticsearch. New indices that follow "My-Custom-Alerts-*" index pattern will apply the modified template.

Regards, 

Javier Escobar

[Alvaro Victoriano]

Hello Javier,

The index allready exist my question was, as i changed the alerts-index-name so the monitoring index should be changed as well? doesnt change right?

so the new agent that are connected with the other manager node from my local network, will appear normal beside the other agents of the other Wazuh-Managers right?

Thank you Javier

[Javier Escobar]

Hello Alvaro,

Sorry I didn't understand before. 'wazuh-monitoring' is an index created and managed by the Wazuh app and is not related to the 'wazuh-alerts' template nor Filebeat. 

You can edit some settings in the Wazuh app. Click on the gear at the right-top corner and go to configuration. There you can, for example, change the default index pattern name.

Restart Kibana to apply the changes:

systemctl restart kibana

As for the agent, if the two managers are connected to the same cluster of managers then the state of their agents will be sent to 'wazuh-monitoring' at Elasticsearch.

Let me know if you have any issues or questions.

Best regards,

Javier Escobar

[Alvaro Victoriano]

Thats great Javier

Thank you so much for your explanation.

In my case its working fine as you see.

I was wondring because I wanted give a login user to kibana for each one of the clients, and setting the index roles to thier manager-index, in order that everyone monitoring only his network. it can be right?

but in this case they are going to see each others agents as the monitoring-index its mutual right?

[Emiliano Ortiz]

Hello Alvaro,

We have answered your question in the following link:
https://groups.google.com/d/msg/wazuh/uT6kIPflpHM/P6otQgAxDAAJ

Please let me know if you have any questions. 
Regards
Emiliano