Sending Wazuh logs to AWS Opensearch

[Djordje Dosic]

Hello guys,

We are currently evaluating Amazon's Opensearch (as a paid service), and I was wondering how we can send Wazuh logs directly to AWS Opensearch. I checked your official docs and saw that there is mentioned integration with Opensearch via Logstash. Is there any other log shipper we can use beside Logstash?

Thanks

[Mariano Koremblum]

Hi Djordje,

When you say Wazuh logs, do you mean the manager's logs (ossec.log)? do you mean agent's logs? Do you mean the alerts?

Could you please clarify?

Best Regards,

Mariano Koremblum

[Djordje Dosic]

Hi Mariano, I meant alerts.json logs.

Best Regards

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/oel9l6vUPA4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/94953b4f-5b93-48c7-9fb1-1d2f3ecad1e5n%40googlegroups.com.

[Mariano Koremblum]

Hi Djordje,

If your Amazon's Openesearch has a Syslog server then you can directly forward the alerts by configuring it in the `ossec.conf` file, to do so please take a look at the following documentation page:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syslog-output.html

If you have Opensearch running in the same node as your Wazuh manager, then you might be able to directly index the `alerts.json` file located in `/var/ossec/logs/alerts/alerts.json`.

I hope my answer helps you,

Best regards,

Mariano Koremblum