Incompatibility between Wazuh / Graylog due to filebeat.

[Andrew Creigh]

Good morning Wazuh team it looks like there is an incompatibility issue due to the need to have  compatibility.override_main_response_version: true in the wazuh-indexer opensearch.yml configuration.

disabling this command flag allows graylog to function but then all data in the dashboards in wazuh is gone as filebeat does not understand what _type is. 

Enabling the compatability override breaks graylogs ability to read the logs for much the same reason. 

I have a github issue opened on this with more details.

Additionally the thread Sudden drop off in alerts in dashboard on discord has images and logs.

  

https://github.com/wazuh/wazuh/issues/18191

[Carlos Ezequiel Bordon]

Hi Andrew, thanks for creating the issue for us, we are going to add it to our backlog so we can analyze this problem that you mentioned.

[Andrew Creigh]

Thanks Carlos!

In the meantime are you aware of any alternatives to filebeat as that is where this issue stems from. Perhaps an upgraded version of filebeat that doesn't require the compatibility flag or an alternative to filebeat?

[Andrew Creigh]

For posterities sake here is a link to the discord thread as well https://discord.com/channels/1049711339578331186/1134462672138682418

[Carlos Ezequiel Bordon]

At the moment, Wazuh indexer needs this configuration to be able to receive information from Filebeat, since this configuration enables compatibility with OpenSearch (in which Wazuh indexer is based).

What occurs to me is that you add some other tool for data ingestion to Graylog such as Logstash, but you will have to do these tests on your own.

[Andy Creigh]

Does filebeat utilize special configurations on your alls end for parsing or is that handled elsewhere?

Sent from my iPhone

On Aug 16, 2023, at 8:23 AM, 'Carlos Ezequiel Bordon' via Wazuh mailing list <wa...@googlegroups.com> wrote:



--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9a34890e-1410-4c2c-b494-6e41e127bf9cn%40googlegroups.com.

[Carlos Ezequiel Bordon]

Yes, it is correct, we have configurations for Filebeat to use our module, I am sharing the files that we use to configure Filebeat.

Configuration file: https://packages.wazuh.com/4.5/tpl/wazuh/filebeat/filebeat.yml

Wazuh template json: https://raw.githubusercontent.com/wazuh/wazuh/4.5/extensions/elasticsearch/7.x/wazuh-template.json

Wazuh module: https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz

Here you can find our documentation for install and configuring of Filebeat: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#configuring-filebeat

[Andy Creigh]

Unfortunately I believe this config flag to be the underlying cause of the incompatibility issues with graylog. Perhaps there is a newer version of filebeat that can be happy with opensearch?

Sent from my iPhone

On Aug 18, 2023, at 11:43 AM, 'Carlos Ezequiel Bordon' via Wazuh mailing list <wa...@googlegroups.com> wrote:



You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/CHvyl6Xv93A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f4d9c8cc-16ab-478c-a0a0-2c1f72e66cf5n%40googlegroups.com.

[Carlos Ezequiel Bordon]

I could not give you an accurate answer, we have support for Filebeat 7.10.2.

As I mentioned earlier, you can try ingesting the Wazuh data into Graylog using another tool, such as Logstash.

[Jörg Schin.]

Hi Andy,

I use fluentbit to ship the alerts.json file to my graylog instance and chase it through the pipelines to send the logs to the wazuh-indexer with log-enrichment.
What was really a problem in the beginning is that when a field consists of 2 words wazuh separates them with a .) Graylog doesn't support this, so I separate the words in a field with a _.
Was for me an Umgewöhnung, but my AuditD rules I have again really pimped.

Greez