Wazuh to Graylog
83 views
Skip to first unread message
DIWAHAR RAHAWID
Apr 17, 2026, 6:58:27 AMApr 17
to Wazuh | Mailing List
Hi Team,
Hope you are going well, I have configured wazuh as given below.
Wazuh Agent → Wazuh Manager
↓
alerts.json
↓
Fluent Bit
↓
Graylog
↓
SOCFortress UI
↓
alerts.json
↓
Fluent Bit
↓
Graylog
↓
SOCFortress UI
But I am getting logs in Graylog and Socfortress as raw log but it is not generating as alert i tried to create pipelines but it is not generating logs to alerts so that I can create alerts notifications, and proceed further.
If I have anything i need to look into...!
Regards
Diwahar
Adrián Díaz Gámez
Apr 17, 2026, 7:42:14 AMApr 17
to Wazuh | Mailing List
Hello Diwahar,
From what I understand, Graylog is receiving raw events, but not necessarily Wazuh alerts. Alerts are generated only after the manager processes incoming logs via decoding and rule matching. Meanwhile, events that do not trigger an alert can still be stored in the archives files, so seeing raw logs in Graylog does not always mean that Wazuh is producing alerts for them. Verify the following in the Wazuh server:
From what I understand, Graylog is receiving raw events, but not necessarily Wazuh alerts. Alerts are generated only after the manager processes incoming logs via decoding and rule matching. Meanwhile, events that do not trigger an alert can still be stored in the archives files, so seeing raw logs in Graylog does not always mean that Wazuh is producing alerts for them. Verify the following in the Wazuh server:
- Confirm that Wazuh is actually generating alerts locally in alerts.json.
- Check that log_alert_level is not set too high; lower-level alerts will not be written to alerts.json.
- Make sure jsonout_output is enabled in /var/ossec/etc/ossec.conf
- If your sample logs are not triggering alerts, test them with wazuh-logtest to confirm whether they match any decoders or rules.
- If they do not match any decoder/rule, you may need to create a custom decoder/rule for those logs.
Here are some links that explain this:
https://documentation.wazuh.com/current/user-manual/manager/alert-management.html
https://documentation.wazuh.com/current/development/wazuh-logtest.html
If alerts are visible in alerts.json but still not usable in Graylog/SocFortress as alerts, then the next step is to review the Fluent Bit/Graylog pipeline mapping. I will leave you another helpful link here:
https://documentation.wazuh.com/current/user-manual/manager/alert-management.html
https://documentation.wazuh.com/current/development/wazuh-logtest.html
If alerts are visible in alerts.json but still not usable in Graylog/SocFortress as alerts, then the next step is to review the Fluent Bit/Graylog pipeline mapping. I will leave you another helpful link here:
Message has been deleted
Message has been deleted
Adrián Díaz Gámez
Apr 20, 2026, 4:28:18 AMApr 20
to Wazuh | Mailing List
Hello Diwahar,
You could also share a sample log of the SOCFortress user interface so we can review it. This could help confirm how the alert is being processed.
You could also share a sample log of the SOCFortress user interface so we can review it. This could help confirm how the alert is being processed.
Reply all
Reply to author
Forward
0 new messages