wazuh-docker-orginal/logstash/config/logstash.conf

# Wazuh - Logstash configuration file
## Remote Wazuh Manager - Filebeat input
#input {
#    beats {
#        port => 5000
#        codec => "json_lines"
#        ssl => true
#        ssl_certificate => "/etc/logstash/logstash.crt"
#        ssl_key => "/etc/logstash/logstash.key"
#    }
#}
## Local Wazuh Manager - JSON file input
input {
   file {
       type => "wazuh-alerts"
       path => "/var/ossec/logs/alerts/alerts.json"
       codec => "json"
   }
}
filter {
    geoip {
        source => "srcip"
        target => "GeoLocation"
    }
    mutate {
        remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ]
    }
}
output {
    elasticsearch {
        hosts => ["localhost:9200"]
        index => "wazuh-alerts-%{+YYYY.MM.dd}"
        document_type => "wazuh"
        template => "/etc/logstash/wazuh-elastic5-template.json"
        template_name => "wazuh"
        template_overwrite => true
    }
}