Using other indexes apart from wazuh-alerts-x on ELK integration
62 views
Skip to first unread message
Dan
Aug 7, 2024, 4:40:32 AM8/7/24
to Wazuh | Mailing List
Hello!
Wazuh's docs define ELK integration using Logstash and Elastic search, however, I only get `wazuh-alerts-x`.
How could I gather other indexes such as `wazuh-statistics` that wazuh's built-in dashboard feature has acess to?
Greetings and have a nice day :)
Wazuh's docs define ELK integration using Logstash and Elastic search, however, I only get `wazuh-alerts-x`.
How could I gather other indexes such as `wazuh-statistics` that wazuh's built-in dashboard feature has acess to?
Greetings and have a nice day :)
Lamya Imam
Aug 7, 2024, 5:53:34 AM8/7/24
to Wazuh | Mailing List
Hello Dan,
Could you please share more details about the architecture of your deployment and what are the version of the components that you are using?
Please share the output of this command from the Dev Tools:
GET _cat/templates?v
Also, run the command GET _cat/indices, to see all of the created indexes and look for wazuh-statistics-* index.
Then go to Discover and check if you are able to see the wazuh-statistics-* index in the dropdown index bar.
Lastly, please let me know if a pattern for this index is created. You can check it by going to the Kibana interface and selecting the option Stack management -> Index patterns -> Wazuh-statistics-*. If it does not exist, please follow the guidelines below to create the index pattern name for the Wazuh statistics:
- Select ☰ > Management > Stack Management.
- Choose Kibana > Data Views and select Create data view.
- Enter a name for the data view and define wazuh-statistics-* as the index pattern name.
- Select timestamp in the Timestamp fields dropdown menu. Then Save data view to Kibana.
- Open the menu and select Discover under Analytics.
- Select ☰ > Analytics > Discover.
Verify that you can find the data view name you entered and check if the index is populating now.
However, if this does not work, try deleting the templates and index patterns, and then download the template again from the documentation and reinstall the kibana plugin.
Reference: https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html#id2
Please share the necessary screenshots and logs that you may face during the troubleshooting process.
Will be waiting for your response!
Could you please share more details about the architecture of your deployment and what are the version of the components that you are using?
Please share the output of this command from the Dev Tools:
GET _cat/templates?v
Also, run the command GET _cat/indices, to see all of the created indexes and look for wazuh-statistics-* index.
Then go to Discover and check if you are able to see the wazuh-statistics-* index in the dropdown index bar.
Lastly, please let me know if a pattern for this index is created. You can check it by going to the Kibana interface and selecting the option Stack management -> Index patterns -> Wazuh-statistics-*. If it does not exist, please follow the guidelines below to create the index pattern name for the Wazuh statistics:
- Select ☰ > Management > Stack Management.
- Choose Kibana > Data Views and select Create data view.
- Enter a name for the data view and define wazuh-statistics-* as the index pattern name.
- Select timestamp in the Timestamp fields dropdown menu. Then Save data view to Kibana.
- Open the menu and select Discover under Analytics.
- Select ☰ > Analytics > Discover.
Verify that you can find the data view name you entered and check if the index is populating now.
However, if this does not work, try deleting the templates and index patterns, and then download the template again from the documentation and reinstall the kibana plugin.
Reference: https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html#id2
Please share the necessary screenshots and logs that you may face during the troubleshooting process.
Will be waiting for your response!
Dan
Aug 7, 2024, 6:19:15 AM8/7/24
to Wazuh | Mailing List
Hello! Thanks for your fast reply!
I have Wazuh running on separate machines.
I have logstack running on a container which has the alerts.json` file data source and it is also connected to the indexer according to Wazuh's doccumentation.
Yes, the indicies are created correctly. However, I pull Elastic's data from another program, and all of the indicies are wazuh-alerts given that the logstash config is only for that, if I change the "index" to something else, will I be able to pull that said index? Apologies for wasting your time if it's this easy.
Here's my configuration file:
input {
opensearch {
hosts => [":9200"]
user => ""
password => ""
index => "wazuh-alerts-4.x-*"
ssl => true
ca_file => "/usr/share/logstash/wazuh-indexer-certs/root-ca.pem"
query => '{
"query": {
"range": {
"@timestamp": {
"gt": "now-1m"
}
}
}
}'
schedule => "* * * * *"
}
file {
id => "wazuh_alerts"
codec => "json"
start_position => "beginning"
stat_interval => "1 second"
path => "/usr/share/logstash/wazuh-alerts/alerts_manager.json"
mode => "tail"
ecs_compatibility => "disabled"
}
}
I have Wazuh running on separate machines.
I have logstack running on a container which has the alerts.json` file data source and it is also connected to the indexer according to Wazuh's doccumentation.
Yes, the indicies are created correctly. However, I pull Elastic's data from another program, and all of the indicies are wazuh-alerts given that the logstash config is only for that, if I change the "index" to something else, will I be able to pull that said index? Apologies for wasting your time if it's this easy.
Here's my configuration file:
input {
opensearch {
hosts => [":9200"]
user => ""
password => ""
index => "wazuh-alerts-4.x-*"
ssl => true
ca_file => "/usr/share/logstash/wazuh-indexer-certs/root-ca.pem"
query => '{
"query": {
"range": {
"@timestamp": {
"gt": "now-1m"
}
}
}
}'
schedule => "* * * * *"
}
file {
id => "wazuh_alerts"
codec => "json"
start_position => "beginning"
stat_interval => "1 second"
path => "/usr/share/logstash/wazuh-alerts/alerts_manager.json"
mode => "tail"
ecs_compatibility => "disabled"
}
}
Lamya Imam
Aug 15, 2024, 10:41:18 AM8/15/24
to Wazuh | Mailing List
Hello Dan,
We can see the wazuh-statistics-* indices are generated. To include these indices in your Logstash configuration, you'll need to update your configuration to pull data from both the wazuh-alerts-* and wazuh-statistics-* indices.
Reference: https://www.elastic.co/guide/en/logstash/7.17/index.html
As the issue is related to ELK, I would suggest you to check the Elastic community to get help with the logstash configuration.
Sharing links that you might find useful:
https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#_writing_to_different_indices_best_practices
https://www.elastic.co/guide/en/elasticsearch/reference/current/search-multiple-indices.html
https://www.elastic.co/guide/en/elasticsearch/reference/current/index-templates.html
Hope this helps!
We can see the wazuh-statistics-* indices are generated. To include these indices in your Logstash configuration, you'll need to update your configuration to pull data from both the wazuh-alerts-* and wazuh-statistics-* indices.
Reference: https://www.elastic.co/guide/en/logstash/7.17/index.html
As the issue is related to ELK, I would suggest you to check the Elastic community to get help with the logstash configuration.
Sharing links that you might find useful:
https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#_writing_to_different_indices_best_practices
https://www.elastic.co/guide/en/elasticsearch/reference/current/search-multiple-indices.html
https://www.elastic.co/guide/en/elasticsearch/reference/current/index-templates.html
Hope this helps!
Reply all
Reply to author
Forward
0 new messages