replace elasticsearch output hosts from filebeat.yml on helm kubernetes

[Ciocoiu Petrisor]

Hi team,

How can I replace elasticsearch output host in filebeat.yml on kubernetes, I tried with 2 methods:

A. from values.yml - not override 

  env:

    ELASTICSEARCH_URL: http://elasticsearch:9200

B. by configmap filebeat.yml but is overriding entire /etc/filebeat.

Regards

[Gonzalo Acuña]

Hi.
Would you tell me what version of Wazuh are you using?
The "ELASTICSEARCH_URL" variable is used when the Manager pod starts. The "1-config-filebeat" script runs a "sed" command to configure the "hosts" parameter in the "filebeat.yml":
https://github.com/wazuh/wazuh-docker/blob/v4.2.7/wazuh-odfe/config/etc/cont-init.d/1-config-filebeat#L6-L9
So, if you change the "ELASTICSEARCH_URL" variable, the "hosts" value should change after the Manager pods are restarted. Make sure the environment value is updated for the Master and Worker pods and check that the Manager pods are restarted after the change.
I have verified the behavior with the wazuh-kubernetes deployment for EKS.

Regarding the configMap, are you saying that it overrides the entire directory?

[Ciocoiu Petrisor]

Hi,

In order to change the elasticsearch hosts output for filebeat you need to use the following env:

          env:

            - name: INDEXER_URL

              value: 'http://elasticsearch:9200'

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a2b0a800-a9fe-486a-9213-73c2e080822an%40googlegroups.com.