Update filebeat.yml

2025-11-04 05:53:19 +00:00 · 2019-08-29 16:32:06 +02:00
1 changed files with 12 additions and 49 deletions
--- a/wazuh/config/filebeat.yml
+++ b/wazuh/config/filebeat.yml
@@ -1,53 +1,16 @@
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
-filebeat.inputs:
+# Wazuh - Filebeat configuration file
-  - type: log
+filebeat.modules:
-    paths:
+  - module: wazuh
-      - '/var/ossec/logs/alerts/alerts.json'
+    alerts:
      enabled: true
    archives:
      enabled: false
 setup.template.json.enabled: true
-setup.template.json.path: "/etc/filebeat/wazuh-template.json"
+setup.template.json.path: '/etc/filebeat/wazuh-template.json'
-setup.template.json.name: "wazuh"
+setup.template.json.name: 'wazuh'
 setup.template.overwrite: true
 setup.ilm.enabled: false
-processors:
+output.elasticsearch.hosts: ['http://elasticsearch:9200']
  - decode_json_fields:
      fields: ['message']
      process_array: true
      max_depth: 200
      target: ''
      overwrite_keys: true
  - drop_fields:
      fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
  - rename:
      fields:
        - from: "data.aws.sourceIPAddress"
          to: "@src_ip"
      ignore_missing: true
      fail_on_error: false
      when:
        regexp:
          data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
  - rename:
      fields:
        - from: "data.srcip"
          to: "@src_ip"
      ignore_missing: true
      fail_on_error: false
      when:
        regexp:
          data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
  - rename:
      fields:
        - from: "data.win.eventdata.ipAddress"
          to: "@src_ip"
      ignore_missing: true
      fail_on_error: false
      when:
        regexp:
          data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
 output.elasticsearch:
  hosts: ['http://elasticsearch:9200']
  #pipeline: geoip
  indices:
    - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'