Editing /etc/filebeat/wazuh-template.json in wazuh kubernetes
210 views
Skip to first unread message
Aishwarya Vinod
Jul 18, 2024, 2:05:42 AM7/18/24
to Wazuh | Mailing List
Hi Team,
I was following the instructions in this blogpost Monitoring Linux resource usage with Wazuh and I reached the part where they modify the Wazuh template to add the custom field. I have deployed wazuh on Kubernetes, any suggestions on how to edit the file and also others like local_rules.xml and local_decoders.xml ? Any suggestions would be appreciated.
elw...@wazuh.com
Jul 18, 2024, 8:15:28 AM7/18/24
to Wazuh | Mailing List
Hello,
You can add the template as a new mount and then pass it with the config map, I have a full example describing for filebeay.yml here https://opensourcesecurityblogs.com/wazuh-in-k8s-kubernetes-enablearchives-index-get-all-events/ but it applies to wazuh template as well.
Regarding the rules and decoders, you can change them via the UI https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/creating-custom-fim-rules.html
I hope it helps.
Regards,
Wali
You can add the template as a new mount and then pass it with the config map, I have a full example describing for filebeay.yml here https://opensourcesecurityblogs.com/wazuh-in-k8s-kubernetes-enablearchives-index-get-all-events/ but it applies to wazuh template as well.
Regarding the rules and decoders, you can change them via the UI https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/creating-custom-fim-rules.html
I hope it helps.
Regards,
Wali
Aishwarya Vinod
Jul 18, 2024, 9:06:48 AM7/18/24
to Wazuh | Mailing List
Thanks much for the response , really appreciate it.
So does that mean we cannot mount custom_rules and decoders xml files similar to template? Kindly confirm on the same.
Also I would like to confirm, can we do below possible integrations in wazuh on kubernetes clusters ? If so should I follow mounting process for the same, or do you recommend creating custom docker image . Would be helpful if I get anyone's suggestion, as I am still confused on below integrations are practically possible in Kubernetes.
Kindly Let me know if anyone has tried :
Keycloack integration (https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/keycloak.html)
Also I would like to confirm, can we do below possible integrations in wazuh on kubernetes clusters ? If so should I follow mounting process for the same, or do you recommend creating custom docker image . Would be helpful if I get anyone's suggestion, as I am still confused on below integrations are practically possible in Kubernetes.
Kindly Let me know if anyone has tried :
Keycloack integration (https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/keycloak.html)
Wazuh teams (https://www.infopercept.com/blogs/sending-alerts-to-microsoft-teams-from-wazuh/)
Pub sub (https://documentation.wazuh.com/current/cloud-security/gcp/supported-services/pubsub.html)
Anomaly detection (https://wazuh.com/blog/enhancing-it-security-with-anomaly-detection/)
Thanks!!
Pub sub (https://documentation.wazuh.com/current/cloud-security/gcp/supported-services/pubsub.html)
Anomaly detection (https://wazuh.com/blog/enhancing-it-security-with-anomaly-detection/)
Thanks!!
Aishwarya Vinod
Jul 19, 2024, 5:27:03 AM7/19/24
to Wazuh | Mailing List
Please let me know if anyone has any suggestions
Aishwarya Vinod
Jul 24, 2024, 11:54:13 AM7/24/24
to Wazuh | Mailing List
Hi Team,
Please revert if anyone has any suggestions, would be helpful
elw...@wazuh.com
Aug 5, 2024, 6:42:44 AM8/5/24
to Wazuh | Mailing List
The default docker image does not offer the possibility to mount custom rules/decoders as mentioned. however, they would be saved in the used volumes.
Indeed, you can configure all the integrations using the official docker image.
Regards,
Wali
Indeed, you can configure all the integrations using the official docker image.
Regards,
Wali
Reply all
Reply to author
Forward
0 new messages