Custom index
205 views
Skip to first unread message
riccait
Mar 31, 2023, 8:15:21 AM3/31/23
to Wazuh mailing list
Hi Wazuh team,
I updated wazuh to version 4.4 and noticed many improvements.
I would like to know if it is possible to create index by groups.
For example: I have created a label on the configuration of a group as below:
I would like to know if it is possible to create index by groups.
For example: I have created a label on the configuration of a group as below:
<agent_config>
<labels>
<label key="customers">riccait</label>
</labels>
</agent_config>
<labels>
<label key="customers">riccait</label>
</labels>
</agent_config>
Is it possible to tell filebeat that I have to create an index based on this label? Maybe always through a daily rotation as it happens now for wazuh-alerts.
Thank you
Greetings
Jose Luis Carreras Marin
Apr 3, 2023, 9:00:27 AM4/3/23
to Wazuh mailing list
Hello riccait,
Yes, it is possible to create different indexes for each label configured in the agents.
What you have to do is to modify the filebeat pipeline so that it generates different indexes according to the label. To do this, you must modify the file:
/usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json
Add a block for each label that you want to generate a different index, for example:
{
"date_index_name": {
"if": "ctx?.agent?.labels?.customers != 'riccait'",
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix":"{{fields.index_prefix}}riccait-",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": true
}
In this way and for this case we will generate an index with name: wazuh-alerts-4.4-riccait-yyyy.MM.dd
It is also necessary to apply the changes in the filebeat pipeline:
filebeat setup --pipelines --modules wazuh
Finally, you must add these index pattern names in the template:
https://documentation.wazuh.com/current/user-manual/elasticsearch/configure-indices.html#indices-configuration
If you have any doubt or problem, do not hesitate to tell me about it. Thanks for using Wazuh!
Best regards,
Jose.
Yes, it is possible to create different indexes for each label configured in the agents.
What you have to do is to modify the filebeat pipeline so that it generates different indexes according to the label. To do this, you must modify the file:
/usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json
Add a block for each label that you want to generate a different index, for example:
{
"date_index_name": {
"if": "ctx?.agent?.labels?.customers != 'riccait'",
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix":"{{fields.index_prefix}}riccait-",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": true
}
In this way and for this case we will generate an index with name: wazuh-alerts-4.4-riccait-yyyy.MM.dd
It is also necessary to apply the changes in the filebeat pipeline:
filebeat setup --pipelines --modules wazuh
Finally, you must add these index pattern names in the template:
https://documentation.wazuh.com/current/user-manual/elasticsearch/configure-indices.html#indices-configuration
If you have any doubt or problem, do not hesitate to tell me about it. Thanks for using Wazuh!
Best regards,
Jose.
jamer daniel castañeda perez
Mar 7, 2024, 10:53:00 AMMar 7
to Wazuh | Mailing List
Hi Jose Luis.
Is possible do it in the interfaz web?
Is possible do it in the interfaz web?
Reply all
Reply to author
Forward
0 new messages