setting filebeat wazuh docker
37 views
Skip to first unread message
Владмир Пупкин
Oct 9, 2025, 7:06:24 AM (yesterday) Oct 9
to Wazuh | Mailing List
Hi, friends,
Help me with filebeat.
I have wazuh 4.13.1 installed in Docker. How do I change
archives:
enabled: false
to
Help me with filebeat.
I have wazuh 4.13.1 installed in Docker. How do I change
archives:
enabled: false
to
archives:
enabled: true
enabled: true
me filebeat.yml
bash-5.2# cat ./filebeat.yml
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch:
hosts: ['https://wazuh.indexer:9200']
username: 'admin'
password:
ssl.verification_mode: 'full'
ssl.certificate_authorities: ['/etc/ssl/root-ca.pem']
ssl.certificate: '/etc/ssl/filebeat.pem'
ssl.key: '/etc/ssl/filebeat.key'
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch:
hosts: ['https://wazuh.indexer:9200']
username: 'admin'
password:
ssl.verification_mode: 'full'
ssl.certificate_authorities: ['/etc/ssl/root-ca.pem']
ssl.certificate: '/etc/ssl/filebeat.pem'
ssl.key: '/etc/ssl/filebeat.key'
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq
Chukwudalu Chisimdi Okonkwo
Oct 9, 2025, 9:02:53 AM (yesterday) Oct 9
to Wazuh | Mailing List
Hello,
To edit that kindly navigate to this path on your Docker Host (if you are using a single node) and then make the changes to the archives in there
/var/lib/docker/volumes/single-node_filebeat_etc/_data/filebeat.yml
Then the changes will reflect on the container once done, no need to re-build the container.
Do let me know if this was helpful.
To edit that kindly navigate to this path on your Docker Host (if you are using a single node) and then make the changes to the archives in there
/var/lib/docker/volumes/single-node_filebeat_etc/_data/filebeat.yml
Then the changes will reflect on the container once done, no need to re-build the container.
Do let me know if this was helpful.
Владмир Пупкин
Oct 9, 2025, 9:50:28 AM (yesterday) Oct 9
to Wazuh | Mailing List
Thanks, the settings have changed.
bash-5.2# cat /etc/filebeat/filebeat.yml
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: true
Do you need to restart the filebeat service?
bash-5.2# cat /etc/filebeat/filebeat.yml
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
Do you need to restart the filebeat service?
четверг, 9 октября 2025 г. в 16:02:53 UTC+3, Chukwudalu Chisimdi Okonkwo:
Matías Mercado
Oct 9, 2025, 5:23:40 PM (18 hours ago) Oct 9
to Wazuh | Mailing List
Hello,
Yes please restart the filebeat service and then run a test with "filebeat test output"
Regards,
Matías.
Matías.
Владмир Пупкин
7:07 AM (5 hours ago) 7:07 AM
to Wazuh | Mailing List
Thanks, everything worked !!!
пятница, 10 октября 2025 г. в 00:23:40 UTC+3, Matías Mercado:
Reply all
Reply to author
Forward
0 new messages