New vulnerablity detector and Splunk

[Carlos Lopez]

Hi all,

With the new version of Wazuh and the change in the vulnerability detection module, it seems that it is mandatory to use Wazuh indexer, either an Opensearch instance or an Elasticsearch instance.

But what about Splunk? I am using Splunk in all my backend's for Wazuh events ... Exists some solution? Or is it only possible to use Wazuh Indexer/Opensearch/Elasticsarch?

Another question: is it possible to rename index names for the new vulnerability detector?

Best regards,
C. L. Martinez

[Lucas Esteban Pedrosa]

Hello, Carlos

While the new Vulnerability Detector uses an index in Wazuh Indexer, the rest of the functionality in Wazuh remains nearly the same and if currently have an integration with Splunk, you should be able to continue to use it for regards other than VD. Version 4.8.0 is very recent and at this time, I can't confirm you whether the VD index can also be forwarded to Splunk, but looking at the graph in this documentation article:

https://documentation.wazuh.com/current/integrations-guide/splunk/index.html

it looks like it can't. Similarly for renaming the VD index. I know that it's possible use user other index name for regular alert and archive indices, but I will need to find out for you if it's possible to also rename the VD ones. Is your setup with Splunk similar to what's described in the article?

Best regards,
Lucas