Cofiguring multitenancy for syslog logs on Wazuh
15 views
Skip to first unread message
Gerald muchuku
Dec 16, 2025, 9:58:07 AM (yesterday) Dec 16
to Wazuh | Mailing List
Hi,
I have configured syslog on Fortigate firewalls enabling me to receive the firewall logs on Wazuh manager and visualize them on the dashboard.
I have configured syslog on Fortigate firewalls enabling me to receive the firewall logs on Wazuh manager and visualize them on the dashboard.
However, I have a multitenancy setup on the Wazuh instance and I want to assign the firewall logs to a one tenant such that the other tenant cannot see them.
I have tried the following:
1. Modifying the injest pipeline file (/usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json, /usr/share/filebeat/module/wazuh/archives/ingest/pipeline.json) to read logs from fortigate-combined.log by inserting the following configs on the above named file locations to set field and value fields
{ "set": { "if": "ctx.location != null && ctx.location.contains('fortigate-combined.log')", "field": "@org", "value": "", ClientA "ignore_failure": true } }
2. Adding a label to the firewall logs using filebeat by editing the filebeat config file (/etc/filebeat/filebeat.yml) and adding the following configs
processors: - add_fields: when: contains: log.file.path: "fortigate-combined.log" fields: "@org": "ClientA" target: ""
rodrigo....@wazuh.com
Dec 16, 2025, 10:48:38 AM (yesterday) Dec 16
to Wazuh | Mailing List
Hello Gerald,
I am looking into this and will get back to you shortly with a detailed response.
I am looking into this and will get back to you shortly with a detailed response.
rodrigo....@wazuh.com
Dec 16, 2025, 1:28:33 PM (yesterday) Dec 16
to Wazuh | Mailing List
Gerald,
I understand that you tried to achieve tenant isolation by tagging data, and in fact the changes you made correctly tag FortiGate logs as belonging to ClientA, but tagging data does not enforce tenant isolation.
In Wazuh, multitenancy is enforced by index-level permissions, not by fields inside the document. Since all tenants can access the same index, they can all see the FortiGate logs regardless of the @org field.
In order to achieve the tenant isolation effect, I recommend that you use index roles and permissions to restrict data access to certain clients.
Here is the documentation on how to create new custom indexes for reference: https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html#creating-custom-index-pattern.
As an example, you can create the role clienta_fortigate_role and grant access only to the custom index you have created (for example wazuh-archives-fortigate-clienta-*). Now by assigning permissions: read, search, view_index_metadata you can achieve isolation.
I understand that you tried to achieve tenant isolation by tagging data, and in fact the changes you made correctly tag FortiGate logs as belonging to ClientA, but tagging data does not enforce tenant isolation.
In Wazuh, multitenancy is enforced by index-level permissions, not by fields inside the document. Since all tenants can access the same index, they can all see the FortiGate logs regardless of the @org field.
In order to achieve the tenant isolation effect, I recommend that you use index roles and permissions to restrict data access to certain clients.
Here is the documentation on how to create new custom indexes for reference: https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html#creating-custom-index-pattern.
As an example, you can create the role clienta_fortigate_role and grant access only to the custom index you have created (for example wazuh-archives-fortigate-clienta-*). Now by assigning permissions: read, search, view_index_metadata you can achieve isolation.
Gerald muchuku
Dec 16, 2025, 2:01:36 PM (yesterday) Dec 16
to Wazuh | Mailing List
Thank you for the response. I will try this and get back to you with the results I get
Reply all
Reply to author
Forward
0 new messages