Updated Filebeat config for Elastic 7

2025-10-23 04:51:57 +00:00 · 2019-05-14 15:06:12 +02:00
parent eadc765860
commit 780dfe1a51
1 changed files with 50 additions and 15 deletions
--- a/wazuh/config/filebeat.yml
+++ b/wazuh/config/filebeat.yml
@@ -1,18 +1,53 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-filebeat:
+filebeat.inputs:
 prospectors:
  - type: log
    paths:
-     - "/var/ossec/logs/alerts/alerts.json"
+      - '/var/ossec/logs/alerts/alerts.json'
    document_type: json
    json.message_key: log
    json.keys_under_root: true
    json.overwrite_keys: true
    tail_files: true
-output:
+setup.template.json.enabled: true
- logstash:
+setup.template.json.path: "/etc/filebeat/wazuh-elastic7-template-alerts.json"
-   # The Logstash hosts
+setup.template.json.name: "wazuh"
-   hosts: ["logstash:5000"]
+setup.template.overwrite: true
-#   ssl:
+
-#     certificate_authorities: ["/etc/filebeat/logstash.crt"]
+processors:
  - decode_json_fields:
      fields: ['message']
      process_array: true
      max_depth: 200
      target: ''
      overwrite_keys: true
  - drop_fields:
      fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
  - rename:
      fields:
        - from: "data.aws.sourceIPAddress"
          to: "@src_ip"
      ignore_missing: true
      fail_on_error: false
      when:
        regexp:
          data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
  - rename:
      fields:
        - from: "data.srcip"
          to: "@src_ip"
      ignore_missing: true
      fail_on_error: false
      when:
        regexp:
          data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
  - rename:
      fields:
        - from: "data.win.eventdata.ipAddress"
          to: "@src_ip"
      ignore_missing: true
      fail_on_error: false
      when:
        regexp:
          data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
 output.elasticsearch:
  hosts: ['http://elasticsearch:9200']
  #pipeline: geoip
  indices:
    - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'