Hi again!
As stated previously, our supported solution in these cases is through the usage of our RBAC system.
I've spent a few hours looking for whatever might be wrong here and I see something that might be off:
If so, you are probably receving your syslog through your Wazuh Server, which you won't be able to label as the rest of the regular agents. If you want to receive syslog to your Agents, one option is to set up an
rsyslog instance on the agent.
Other than this, and if you are set on using filebeat, have you tried creating a separate json object for your devid filter? Something like so:
{
"date_index_name": {
"if": "ctx?.agent?.labels?.group == 'groupA'",
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "{{fields.index_prefix}}groupA -",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": false
}
},
{
"date_index_name": {
"if": "ctx?.data?.devid == 'XPTO'",
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "{{fields.index_prefix}}groupA -",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": false
}
},
{
"date_index_name": {
"if": "ctx?.agent?.labels?.group != ' groupA '",
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "{{fields.index_prefix}}",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": false
}
},
It would probably be handy to analyze the actual json data of one of your syslog device alerts as well, which you can get from the Wazuh Dashboard by going to the JSON tab
I hope this helps.
Regards,
Federico