What is the proper way to disable sending to indexer on manager/workers?

23 views
Skip to first unread message

Tom Morgan

unread,
Apr 3, 2026, 12:26:48 AM (4 days ago) Apr 3
to Wazuh | Mailing List

I'm using the wazuh-manager docker v4.14.1

I've set in the ossec config for manager and workers for the indexer to be disabled:

<indexer>
   <enabled>no</enabled>
</indexer>

However, filebeat still is configured and tries to send to the default indexer url.

We just want the manager and workers running, and are sending alerts and other logs to our Splunk instance instead of an Elasticsearch indexer via a fluent-bit sidecar.

I there a way to disable filebeat in the docker image via some configuration?

Md. Nazmur Sakib

unread,
Apr 3, 2026, 1:00:36 AM (4 days ago) Apr 3
to Wazuh | Mailing List

Hi Tom,

<indexer>

   <enabled>no</enabled>

</indexer>

This configuration is related to the indexer connector. Indexerconnector forwards logs to the indexer for the IT hygiene and vulnerability indices, and Filebeat is responsible for forwarding alert logs to the indexer

Ref: Indexer-connector

So, disabling the indexer connector will not have any impact on the filbeat from trying to send logs to the indexer.


The best way to achieve this will be to build a new image without Filebeat. You will need to:


Modify the Dockerfile to delete all the Filebeat-related steps.


Modify this line in the Dockerfile to make sure the 1-config-filebeat file and the services.d/filebeat are not copied to the Wazuh manager's image. You can modify the line in the Dockerfile, or remove the file and directory.


You can find how to build the images here:

README

Tom Morgan

unread,
Apr 3, 2026, 6:52:02 PM (3 days ago) Apr 3
to Wazuh | Mailing List
Thanks, exactly what I was looking for.
Reply all
Reply to author
Forward
0 new messages