several indices in wazuh
44 views
Skip to first unread message
Henry Valero
Jun 8, 2026, 4:30:49 PM (4 days ago) Jun 8
to Wazuh | Mailing List
Hi,
I have Wazuh 4.12 installed in a distributed environment, with one Wazuh component on each server. I have centralized server, firewall, and Suricata events, all stored in a single index. I'd like to separate the indexes: the default Wazuh index for Windows and Linux agents, another index for firewall events ingested into Wazuh via rsyslog, and a third index for Suricata and Zeek events ingested into Wazuh via an agent.
How can I achieve this by having multiple indexes in Wazuh?
How can I achieve this by having multiple indexes in Wazuh?
atte,
Henry
lucas....@wazuh.com
Jun 8, 2026, 5:02:29 PM (4 days ago) Jun 8
to Wazuh | Mailing List
Hi Henry,
Yes, this is possible. Wazuh routes everything into wazuh-alerts-* by default, but you can split events into separate indices by customizing the Filebeat pipeline and the indexer template so that alerts are routed conditionally (most used are by rule group, decoder, or location) into dedicated indices like wazuh-firewall-*, wazuh-custom-*, etc.
The general approach:
1. Add your custom index patterns to the indexer template (alongside the default wazuh-alerts-*), so the indices get the correct mappings.
2. Edit the Filebeat Wazuh module ingest pipeline to add conditions that route matching events to the custom index instead of the default one (typically based on a field like rule.groups, decoder.name, or the agent/location the events come from).
3. Create the matching index patterns in the Wazuh dashboard (using timestamp as the time field) so you can visualize each index separately.
Have a look at these docs, there's a step by step on how to create custom indices that might be helpful.
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.htmlhttps://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-tuning.html
I hope this helps. Let me know if you have any doubts.
Yes, this is possible. Wazuh routes everything into wazuh-alerts-* by default, but you can split events into separate indices by customizing the Filebeat pipeline and the indexer template so that alerts are routed conditionally (most used are by rule group, decoder, or location) into dedicated indices like wazuh-firewall-*, wazuh-custom-*, etc.
The general approach:
1. Add your custom index patterns to the indexer template (alongside the default wazuh-alerts-*), so the indices get the correct mappings.
2. Edit the Filebeat Wazuh module ingest pipeline to add conditions that route matching events to the custom index instead of the default one (typically based on a field like rule.groups, decoder.name, or the agent/location the events come from).
3. Create the matching index patterns in the Wazuh dashboard (using timestamp as the time field) so you can visualize each index separately.
Have a look at these docs, there's a step by step on how to create custom indices that might be helpful.
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.htmlhttps://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-tuning.html
I hope this helps. Let me know if you have any doubts.
Henry Valero
Jun 9, 2026, 11:37:27 AM (3 days ago) Jun 9
to Wazuh | Mailing List
Thanks Lucas,
At what point or where is it configured to store events in a specific index, as appropriate, since all indexes will be within the same wazuh-indexer?
In other words, at what point will the wazuh-manager know which of the created indexes the event should be sent to?
Atte,
Henry
lucas....@wazuh.com
2:34 PM (8 hours ago) 2:34 PM
to Wazuh | Mailing List
Hi Henry,
Sorry for my late reply. I hope you're well.
Good question!! The wazuh-manager itself doesn't decide the index. The manager just writes every alert to /var/ossec/logs/alerts/alerts.json. It doesn't know "which index" an event belongs to.
The routing happens one step later, in Filebeat. Filebeat reads alerts.json and ships each event to the wazuh-indexer.
The decision of which index an event lands in is made by the ingest pipeline (the Wazuh Filebeat module pipeline running on the indexer side). That's where you add conditions based on a field already present in the event, like rule.groups, decoder.name, or the agent/location, to override the default target index (wazuh-alerts-*) and send matching events. Then, the indexer template ensures each of those index patterns gets the correct field mappings.
I hope this helps, let me know if you have any questions regarding this issue.
Best,
Good question!! The wazuh-manager itself doesn't decide the index. The manager just writes every alert to /var/ossec/logs/alerts/alerts.json. It doesn't know "which index" an event belongs to.
The routing happens one step later, in Filebeat. Filebeat reads alerts.json and ships each event to the wazuh-indexer.
The decision of which index an event lands in is made by the ingest pipeline (the Wazuh Filebeat module pipeline running on the indexer side). That's where you add conditions based on a field already present in the event, like rule.groups, decoder.name, or the agent/location, to override the default target index (wazuh-alerts-*) and send matching events. Then, the indexer template ensures each of those index patterns gets the correct field mappings.
I hope this helps, let me know if you have any questions regarding this issue.
Best,
Reply all
Reply to author
Forward
0 new messages