Wazuh with Elastic Stack Multi-Tenancy

83 views
Skip to first unread message

Rafael Rangel

unread,
Dec 4, 2022, 6:12:48 PM12/4/22
to Wazuh mailing list
Good night people.

I'm new here, and I'm doing a PoC with AIO deploy(wazuh manager, filebeat, elastic and kibana+wazuh app).
I would like to know if it is possible to separate the indexes by tenancy. I'll give you an example.

Client A: Agents group A + syslog -> index_pattern_groupA

Client B: group B + syslog -> index_pattern_groupB

And each Tenancy(Space) in Kibana can only view user data for each group.

F Tux

unread,
Dec 5, 2022, 11:25:35 AM12/5/22
to Wazuh mailing list
Hi there!

The supported way to achieve this is to assign your Agents to separate groups and then give your users permissions to only view their own Agents group.

The process to set that up is documented here:

Otherwise, Wazuh can be set up to be full multi-tenant through OpenSearch's Cross Cluster Search feature:


Let us know the path you want to take and we can help you out through this medium.

Regards,
Federico

Rafael Rangel

unread,
Dec 6, 2022, 3:12:54 PM12/6/22
to Wazuh mailing list
Hi Federico!

Thanks for your reply.

I was able to create the new index by editing the pipeline.json.
Now group A logs are saved in a new index. Which allowed me to separate views permissions by user.

What I still haven't managed to get working is a certain syslog also going to this new index based on, for example, data.devid. That is, I would like every time the data.devid == 'XYZ' to also be saved in the A group index.

I tried the way below, but it keeps going to the default index.


      {
      "date_index_name": {
        "if": "ctx?.agent?.labels?.group == 'groupA' || ctx?.data?.devid == 'XPTO'",
        "field": "timestamp",
        "date_rounding": "d",
        "index_name_prefix": "{{fields.index_prefix}}groupA  -",
        "index_name_format": "yyyy.MM.dd",
        "ignore_failure": false
      }
    },
    {
      "date_index_name": {
        "if": "ctx?.agent?.labels?.group != ' groupA  '",
        "field": "timestamp",
        "date_rounding": "d",
        "index_name_prefix": "{{fields.index_prefix}}",
        "index_name_format": "yyyy.MM.dd",
        "ignore_failure": false
      }
    },

Rafael Rangel

unread,
Dec 13, 2022, 2:12:53 PM12/13/22
to Wazuh mailing list
Any updates?

Federico Gustavo Galland

unread,
Dec 14, 2022, 11:46:20 AM12/14/22
to Wazuh mailing list
Hi again!

As stated previously, our supported solution in these cases is through the usage of our RBAC system.
I've spent a few hours looking for whatever might be wrong here and I see something that might be off:

How are you ingesting the syslog data? Did you do that following this documentation page?

If so, you are probably receving your syslog through your Wazuh Server, which you won't be able to label as the rest of the regular agents. If you want to receive syslog to your Agents, one option is to set up an rsyslog instance on the agent.

Other than this, and if you are set on using filebeat, have you tried creating a separate json object for your devid filter? Something like so:

      {
      "date_index_name": {
        "if": "ctx?.agent?.labels?.group == 'groupA'",

        "field": "timestamp",
        "date_rounding": "d",
        "index_name_prefix": "{{fields.index_prefix}}groupA  -",
        "index_name_format": "yyyy.MM.dd",
        "ignore_failure": false
      }
    },
    {
      "date_index_name": {
        "if": "ctx?.data?.devid == 'XPTO'",

        "field": "timestamp",
        "date_rounding": "d",
        "index_name_prefix": "{{fields.index_prefix}}groupA  -",
        "index_name_format": "yyyy.MM.dd",
        "ignore_failure": false
      }
    },
    {
      "date_index_name": {
        "if": "ctx?.agent?.labels?.group != ' groupA  '",
        "field": "timestamp",
        "date_rounding": "d",
        "index_name_prefix": "{{fields.index_prefix}}",
        "index_name_format": "yyyy.MM.dd",
        "ignore_failure": false
      }
    },


It would probably be handy to analyze the actual json data of one of your syslog device alerts as well, which you can get from the Wazuh Dashboard by going to the JSON tab
2022-12-14_13-45.jpg

I hope this helps.

Regards,
Federico

Rafael Rangel

unread,
Dec 30, 2022, 2:40:57 PM12/30/22
to Wazuh mailing list
Hi @federico,

apologies for the delay.
Yes, I used docs to integrate my syslog. I'm using ingest by filebeat.
My logs are arriving with the fields as attached, but even putting "if": "ctx?.data?.devid == 'XPTO'", it continues indexing in the default file. I've tried changing the field to get some match, but even so, it keeps going to the default index.
2022-12-30 16_40_29-Wazuh.png

Federico Gustavo Galland

unread,
Jan 2, 2023, 4:35:22 AMJan 2
to Rafael Rangel, Wazuh mailing list
Hi Rafael,

Once again, we can only support you with filebeat issues as long as they pertain to Wazuh's own internal workings. Customizing filebeat is beyond this communities expertise.

Aside from this, the screenshot shows a devid field that doesn't match the XPTO value you are using in your examples. That will definitely not match.

Let us know if you wanted to use Wazuh's RBAC system which is intended to cover this kind of use-cases, so we can help you further.

Regards,
Federico

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/RBCzCrW6vns/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cf7ac908-8079-4d58-879e-c8a2e5a4cf76n%40googlegroups.com.


--

José Raeiro

unread,
Jan 2, 2023, 7:52:28 PMJan 2
to Wazuh mailing list
Is there any way to achieve this on a self-hosted indexer?

Federico Gustavo Galland

unread,
Jan 3, 2023, 4:09:10 AMJan 3
to José Raeiro, Wazuh mailing list
Hi José,

Everything we've discussed so far applies to an on-premise Wazuh Indexer deployment.

Regards,
Federico

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/RBCzCrW6vns/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages