Custom Index Pattern for Multi-Manager Wazuh Setup (v4.11)

[Mian Muzammil]

Hello Wazuh Team,

I'm working with a Wazuh 4.11 setup that includes two Wazuh managers deployed across separate VLANs:

• manager-01 (configured as the master)

• manager-02 (configured as a worker)

Both managers are connected to a single Wazuh indexer node (also running 4.11).

By default, logs from both managers are being indexed into the shared pattern:
wazuh-alerts-4.x-*

What I want to achieve:
I’d like the logs from each manager to be indexed under separate index patterns based on their manager name. For example:

• Logs from manager-01 should go to: wazuh-alerts-manager-01-4.x-*

• Logs from manager-02 should go to: wazuh-alerts-manager-02-4.x-*

This separation would help in distinguishing logs between different sources. Following is my config.yml file used for generating certificates and configuration:

nodes:
  indexer:
    - name: indexer-01
      ip: "10.x.x.x"

  server:
    - name: manager-01
      ip: "10.x.x.x"
      node_type: master
    - name: manager-02
      ip: "10.x.x.x"
      node_type: worker

  dashboard:
    - name: dashboard
      ip: "10.x.x.x"

Is there a way to configure the Wazuh manager or the Filebeat/Wazuh module to index logs into manager-specific index patterns like the ones mentioned above?  
Note: I have already tried to create the new index using official Wazuh documentation for manager-02 but it didn't generated the new index.

  Any guidance would be greatly appreciated!  

[Awwal Ishiaku]

You need to first create custom index pattern on Filebeat for each Wazuh server node.

Repeat steps 1 to 5 on all Wazuh server nodes.

However, for step 6, I recommend you use the following pattern to work on all server nodes:

pattern: wazuh-alerts-manager-*

After this, you can restart all the components to apply the changes.

[Mian Muzammil]

Thank you for your prompt response. It worked for me.