mirror of
https://github.com/wazuh/wazuh-docker.git
synced 2025-11-02 13:03:23 +00:00
43 lines
1.0 KiB
Plaintext
43 lines
1.0 KiB
Plaintext
# Wazuh - Logstash configuration file
|
|
## Remote Wazuh Manager - Filebeat input
|
|
input {
|
|
beats {
|
|
port => 5000
|
|
codec => "json_lines"
|
|
# ssl => true
|
|
# ssl_certificate => "/etc/logstash/logstash.crt"
|
|
# ssl_key => "/etc/logstash/logstash.key"
|
|
}
|
|
}
|
|
## Local Wazuh Manager - JSON file input
|
|
#input {
|
|
# file {
|
|
# type => "wazuh-alerts"
|
|
# path => "/var/ossec/data/logs/alerts/alerts.json"
|
|
# codec => "json"
|
|
# }
|
|
#}
|
|
filter {
|
|
geoip {
|
|
source => "srcip"
|
|
target => "GeoLocation"
|
|
}
|
|
date {
|
|
match => ["timestamp", "ISO8601"]
|
|
target => "@timestamp"
|
|
}
|
|
mutate {
|
|
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ]
|
|
}
|
|
}
|
|
output {
|
|
elasticsearch {
|
|
hosts => ["elasticsearch:9200"]
|
|
index => "wazuh-alerts-%{+YYYY.MM.dd}"
|
|
document_type => "wazuh"
|
|
template => "/etc/logstash/wazuh-elastic5-template.json"
|
|
template_name => "wazuh"
|
|
template_overwrite => true
|
|
}
|
|
}
|