Adding index in wazuh
1,092 views
Skip to first unread message
Nepolean Solo
Apr 3, 2023, 6:04:51 AM4/3/23
to Wazuh mailing list
Hi,
I don't have much knowledge on opensearch and indices. I would like to know if we could some how set up wazuh dashboard with a new index called archives where we could see logs even if they didn't trigger alerts. Also it will be great if some one could explain what is the difference between those two Dashboard and Events tab on wazuh dashboard(Shown in pic).png?part=0.1&view=1)
Thank you
Nepolean
Nicolas Agustin Guevara Pihen
Apr 3, 2023, 6:48:34 AM4/3/23
to Wazuh mailing list
Hi Nepolean, thank you for using Wazuh!
Your request is possible, here are the steps to configure it:
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: true
Your request is possible, here are the steps to configure it:
1. You must configure the Wazuh manager to log all the events. In the case of having a cluster, this needs to be done in all the nodes. In the file /var/ossec/etc/ossec.conf, enable logall_json
<logall_json>yes</logall_json>.
<logall_json>yes</logall_json>.
Then restart the manager with systemctl restart wazuh-manager or service wazuh-manager restart.
2.
Configure Filebeat output to send all events to Elasticsearch:
The following configuration needs to be done on the Wazuh manager. In the case of having a cluster of Wazuh managers, this configuration needs to be done on all nodes.
Configure Wazuh Filebeat module to read both alerts and archives. In the /etc/filebeat/filebeat.yml file you need to add the archives:
The following configuration needs to be done on the Wazuh manager. In the case of having a cluster of Wazuh managers, this configuration needs to be done on all nodes.
Configure Wazuh Filebeat module to read both alerts and archives. In the /etc/filebeat/filebeat.yml file you need to add the archives:
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: true
Then restart Filebeat with systemctl restart filebeat or service filebeat restart. You can test the output with filebeat test output.
3. Create a new index pattern in Wazuh Dashboard:
After that, the configuration is complete. You can see the data navigating to the Discover section in the left panel and selecting the recently created index pattern
- In the dashboard, open the left bar and navigate to Stack management.
- Inside that section, select Index patterns and click on Create index pattern
- For the Index pattern name, use wazuh-archives*, click in Next step and for the timestamp field choose timestamp (make sure to choose timestamp and not @timestamp)
- Click on Create Index Pattern
After that, the configuration is complete. You can see the data navigating to the Discover section in the left panel and selecting the recently created index pattern
Regarding your second question, in both sections you will be able to see the same logs, but in Dashboard one you can see some dashboards and information about the rule that triggered the alert, meanwhile in Events you will be able to see the logs in a format similar to Discover, where you can easily filter by some field, or change the columns that you see.
I hope you find this information helpful!
Kind regards,
I hope you find this information helpful!
Kind regards,
Nepolean
Apr 3, 2023, 8:22:46 AM4/3/23
to Wazuh mailing list
Thanks a lot Nicolas. I will try what you have said.
Reply all
Reply to author
Forward
0 new messages