Wazuh-Indexer,Filebeat, and Graylog Issues

[Ron Garvin]

If I remove compatibility.override_main_response_version: true in /etc/wazuh-indexer/opensearch.yml then Filebeat fails, if I put it back then filebeat runs but graylog fails.

Anyone have a solution for this yet.  All updates have been applied.

Ron

[Gastón Palomeque]

Hello Ron,

Thanks for using Wazuh!

The OpenSearch configuration compatibility.override_main_response_version must be set to true in order to use Filebeat. This configuration sets OpenSearch to report its version as 7.10 instead of its actual version. Filebeat checks for the version before connecting and fails if it doesn't support it.

Regarding graylog not working properly, it's something that is not related to Wazuh but to the integration between Filebeat and graylog. I'm afraid I can't help you with that. However, I found a guide from the graylog team that explains how to send logs from Filebeat that might be useful to you.

Please let me know if there is anything else I can help you with.

Best regards,

Gastón Palomeque