Wazuh Custom Index Creation ---URGENT !!!!

[yaswanth ryali]

Urgent !!!!!!!

Hello Everyone , 

 

        I was getting my logs via syslog into my wazuh bu making some configuration in ossec.conf .I changed it to <logall> yes<logall> , <logall.json> yes<logall.json> and i created a index pattern in the dashboard to view my logs(alerts). but problem is i was getting logs (alerts) from microsoft defender into wazuh and viewing them in dashboard via archives*. 

         But problem is i was getting dashboards logs and manager logs into the same index and my alert logs are getting mixed up in that logs. Is there any way for creating a custom index only for my defender alert logs and viewing them ?? or else is there any option to stop those manager and dashboard logs coming into my archival index pattern . 

    please help me in solving this issue as we are planning to implement this quickly .

[Openime Oniagbi]

Hello,

Is there a specific reason you want to implement a custom index pattern to view the Defender logs?

I ask this because you can filter those logs on the Wazuh dashboard using the default index pattern. 

[wazuh]

Hello also, 

I've found that an effective way to make multiple indices would be through logstash. here's a previous conversation in this group, where similarly Firewall wall events needed to go to another indice.
Custom Indices

[yaswanth ryali]

we are trying to perform some operations from defender alerts and also to create a ticket in one of the ITSM tool. so, it would be great if we have seperate index for viewing the those logs(alerts). 

   * I was new to wazuh , it would be great if you guide me in this process beacuse i have only basic knowledge on wazuh and want to learn it more and then to implement in our organisation .

[yaswanth ryali]

we want to write some rules on this data and want to send that alert into one of the ITSM tool to generate ticket for the engineers. so,please help me in guiding me through this process or else any other alternative for this?? 

  Thanks for helping !! 

On Thursday, March 6, 2025 at 1:53:04 PM UTC+5:30 Openime Oniagbi wrote:

[Openime Oniagbi]

If your use case is to write rules, then you do not need a separate index to achieve this. As long as you can see the logs in the dashboard, you can create rules for those events and forward the alerts via an integration to your ITSM tool.

We have documentation on the Wazuh ruleset here. Also, you can read about how to create integrations here.

When you have successfully created the rules, you can configure the integration to forward alerts when those rules are triggered.

You can also use the following blog posts as a reference guide:

- https://wazuh.com/blog/integrating-wazuh-with-shuffle/

- https://wazuh.com/blog/using-wazuh-and-thehive-for-threat-protection-and-incident-response/

[yaswanth ryali]

Thanks for helping  @ openime...@wazuh.com , but as of now we are in testing phase we are goining to implement the rulesset in future. but as of now can you please tell me how to send my defender alerts (logs) coming via syslog to new custom index instaed of existing index ?? . 

please help me in solving this issue .

   Thanks for Understating 

[yaswanth ryali]

but my problem is i'm also getting dashboard logs and manager logs into the same archival index pattern . so we are confused to view our logs . please clarify the doubts below:- 

1. Can we write decoders and rules directly to the archival index pattern ?? 
2. is there any way to stop the dashboard logs and manager logs into archival ?? 
3. can we able to create 2 different indexes for defender alerts logs and defender alerts logs ?
4. Is there any better way of doing this . please explain me in detail because i was a bit confused of this .

Thank You  

[Openime Oniagbi]

1. You can write decoders and rules directly to the logs in the wazuh-archives index. Those rules will generate alerts in the wazuh-alerts index.

2. Yes, you can turn off the Wazuh archives entirely, if you don't want it. You can reverse the steps to turn it on from this documentation.

3. Yes, you can create separate indices for different events, however, you need to confirm if that is the solution to your use case. If your use case is visualizing the defender logs separately, then you can use a filter on the dashboard and see the logs separately. This is the best way to do this. Getting dashboard and manager logs in the same index pattern is normal, you can use filters to look for the specific log you want we explain how to do that here.

However, if you insist on creating a different index pattern, then you can use the guide posted by the user above.

[yaswanth ryali]

Thanks for your help. Really appreciate it

[yaswanth ryali]

and also my version contains filebeat , opensearch , kibana  and using a standalone instance.  So , is there any option in this for creating a custom index in these?? 

[Openime Oniagbi]

Hi  yaswanth ryali,

The guide is the same for your setup.

[yaswanth ryali]

Thanks @Openime Oniagbi