{"id":8802,"date":"2021-05-11T08:17:43","date_gmt":"2021-05-11T05:17:43","guid":{"rendered":"https:\/\/kifarunix.com\/?p=8802"},"modified":"2024-03-18T22:33:27","modified_gmt":"2024-03-18T19:33:27","slug":"integrate-wazuh-manager-with-elk-stack","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/integrate-wazuh-manager-with-elk-stack\/","title":{"rendered":"Integrate Wazuh Manager with ELK Stack"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to integrate Wazuh manager with ELK stack as a unified Security Information and Event management tool. <em>Wazuh consists of an&nbsp;endpoint security agent, deployed to the monitored systems, and a&nbsp;management server, which collects and analyzes data gathered by the agents.  Wazuh can be fully integrated with the&nbsp;Elastic Stack, which provides a search engine and data visualization tool that allows users to navigate through their security alerts<\/em>.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#integrating-wazuh-manager-with-elk-stack\">Integrating Wazuh Manager with ELK Stack<\/a><ul><li><a href=\"#install-wazuh-server-on-debian-12-11-10\">Install Wazuh Server on Debian 12\/11\/10<\/a><ul><li><a href=\"#install-wazuh-repository-on-debian-12-11-10\">Install Wazuh Repository on Debian 12\/11\/10<\/a><\/li><li><a href=\"#install-wazuh-server-on-debian-12-11-10-1\">Install Wazuh Server on Debian 12\/11\/10<\/a><\/li><\/ul><\/li><li><a href=\"#install-elk-elastic-stack-on-debian-12-11-10\">Install ELK\/Elastic Stack on Debian 12\/11\/10<\/a><\/li><li><a href=\"#integrating-wazuh-manager-with-elk-stack-2\">Integrating Wazuh Manager with ELK Stack<\/a><ul><li><a href=\"#install-logstash\">Install Logstash<\/a><\/li><li><a href=\"#install-logstash-elasticsearch-output-plugin\">Install Logstash Elasticsearch output plugin<\/a><\/li><li><a href=\"#install-elasticsearch-mapping-template\">Install Elasticsearch Mapping Template<\/a><\/li><li><a href=\"#configure-logstash-to-read-wazuh-data-and-sent-to-elasticsearch\">Configure Logstash to Read Wazuh Data and Sent to Elasticsearch<\/a><\/li><li><a href=\"#test-validity-of-logstash-configuration\">Test Validity of Logstash Configuration<\/a><\/li><li><a href=\"#running-logstash\">Running Logstash<\/a><\/li><li><a href=\"#verify-wazuh-alerts-index-creation-on-elasticsearch-via-kibana\">Verify Wazuh Alerts Index Creation on Elasticsearch via Kibana<\/a><\/li><li><a href=\"#create-wazuh-index-patterns-on-kibana\">Create Wazuh Index patterns on Kibana<\/a><\/li><li><a href=\"#import-wazuh-elastic-dashboards\">Import Wazuh Elastic Dashboards<\/a><\/li><li><a href=\"#viewing-wazuh-dashboards-on-kibana\">Viewing Wazuh Dashboards on Kibana<\/a><\/li><li><a href=\"#install-wazuh-agents-and-visualize-the-events-data\">Install Wazuh Agents and Visualize the Events Data<\/a><\/li><\/ul><\/li><li><a href=\"#reference\">Reference<\/a><\/li><li><a href=\"#other-tutorials\">Other Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"integrating-wazuh-manager-with-elk-stack\">Integrating Wazuh Manager with ELK Stack<\/h2>\n\n\n\n<p>There are different deployment methods:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>All-in-one deployment<\/strong> where all the Wazuh and ELK components are installed on a single node. Suitable for testing or small working environements.<\/li>\n\n\n\n<li><strong>Distributed deployment<\/strong> where each component is installed on a separate node. Provides high availability and scalability and hence suitable for large working environments.<\/li>\n<\/ul>\n\n\n\n<p>This tutorial will use an all-in-one deployment method<\/p>\n\n\n\n<p>Also <strong>NOTE<\/strong> that we are running our setup on an Debian system.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-wazuh-server-on-debian-12-11-10\"><a class=\"rank-math-link\" href=\"#wazuh-server-debian-10\">Install Wazuh Server on Debian 12\/11\/10<\/a><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-wazuh-repository-on-debian-12-11-10\">Install Wazuh Repository on Debian 12\/11\/10<\/h4>\n\n\n\n<p>To install the latest version of Wazuh server on Debian, you need to create the Wazuh repository as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo su -<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>apt install curl \\\n\tapt-transport-https \\\n\tunzip \\\n\twget \\\n\tlibcap2-bin \\\n\tsoftware-properties-common \\\n\tlsb-release \\\n\tgnupg2\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -s https:\/\/packages.wazuh.com\/key\/GPG-KEY-WAZUH | gpg --dearmor &gt; \/etc\/apt\/trusted.gpg.d\/wazuh.gpg<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"deb https:\/\/packages.wazuh.com\/4.x\/apt stable main\" | tee \/etc\/apt\/sources.list.d\/wazuh.list<\/pre>\n\n\n\n<p>Update the package information:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">apt update<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-wazuh-server-on-debian-12-11-10-1\">Install Wazuh Server on Debian 12\/11\/10<\/h4>\n\n\n\n<p>Next, install Wazuh manager on Debian 12\/11\/10.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">apt install wazuh-manager<\/pre>\n\n\n\n<p>Once the installation is complete, you can start and enable Wazuh-manager to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl enable --now wazuh-manager<\/pre>\n\n\n\n<p>Check the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status wazuh-manager<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf wazuh-manager.service - Wazuh manager\n     Loaded: loaded (\/lib\/systemd\/system\/wazuh-manager.service; enabled; preset: enabled)\n     Active: active (running) since Sat 2024-03-02 03:07:53 EST; 15s ago\n    Process: 1932 ExecStart=\/usr\/bin\/env \/var\/ossec\/bin\/wazuh-control start (code=exited, status=0\/SUCCESS)\n      Tasks: 139 (limit: 9475)\n     Memory: 642.1M\n        CPU: 21.665s\n     CGroup: \/system.slice\/wazuh-manager.service\n             \u251c\u25001988 \/var\/ossec\/framework\/python\/bin\/python3 \/var\/ossec\/api\/scripts\/wazuh-apid.py\n             \u251c\u25002027 \/var\/ossec\/bin\/wazuh-authd\n             \u251c\u25002044 \/var\/ossec\/bin\/wazuh-db\n             \u251c\u25002067 \/var\/ossec\/bin\/wazuh-execd\n             \u251c\u25002071 \/var\/ossec\/framework\/python\/bin\/python3 \/var\/ossec\/api\/scripts\/wazuh-apid.py\n             \u251c\u25002074 \/var\/ossec\/framework\/python\/bin\/python3 \/var\/ossec\/api\/scripts\/wazuh-apid.py\n             \u251c\u25002077 \/var\/ossec\/framework\/python\/bin\/python3 \/var\/ossec\/api\/scripts\/wazuh-apid.py\n             \u251c\u25002090 \/var\/ossec\/bin\/wazuh-analysisd\n             \u251c\u25002151 \/var\/ossec\/bin\/wazuh-syscheckd\n             \u251c\u25002166 \/var\/ossec\/bin\/wazuh-remoted\n             \u251c\u25002198 \/var\/ossec\/bin\/wazuh-logcollector\n             \u251c\u25002251 \/var\/ossec\/bin\/wazuh-monitord\n             \u2514\u25002309 \/var\/ossec\/bin\/wazuh-modulesd\n\nMar 02 03:07:44 wazuh-elk env[1932]: Started wazuh-db...\nMar 02 03:07:45 wazuh-elk env[1932]: Started wazuh-execd...\nMar 02 03:07:46 wazuh-elk env[1932]: Started wazuh-analysisd...\nMar 02 03:07:47 wazuh-elk env[1932]: Started wazuh-syscheckd...\nMar 02 03:07:48 wazuh-elk env[1932]: Started wazuh-remoted...\nMar 02 03:07:49 wazuh-elk env[1932]: Started wazuh-logcollector...\nMar 02 03:07:50 wazuh-elk env[1932]: Started wazuh-monitord...\nMar 02 03:07:51 wazuh-elk env[1932]: Started wazuh-modulesd...\nMar 02 03:07:53 wazuh-elk env[1932]: Completed.\nMar 02 03:07:53 wazuh-elk systemd[1]: Started wazuh-manager.service - Wazuh manager.\n<\/code><\/pre>\n\n\n\n<p>Check that Wazuh ports are opened;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -altpn | grep -P '15\\d+|55\\d+'<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>LISTEN 0      128               0.0.0.0:1514       0.0.0.0:*    users:((\"wazuh-remoted\",pid=2166,fd=4))\nLISTEN 0      128               0.0.0.0:1515       0.0.0.0:*    users:((\"wazuh-authd\",pid=2027,fd=3))  \nLISTEN 0      128               0.0.0.0:55000      0.0.0.0:*    users:((\"python3\",pid=1988,fd=40))\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-elk-elastic-stack-on-debian-12-11-10\">Install ELK\/Elastic Stack on Debian 12\/11\/10<\/h3>\n\n\n\n<p>ELK Stack 8.12 is the <a href=\"https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/es-release-notes.html\" target=\"_blank\" rel=\"noreferrer noopener\">current stable release<\/a> of this guide update.<\/p>\n\n\n\n<p>We have already provided a comprehensive tutorial on how to install and setup ELK stack 8 on Debian in our previous guide. So follow through to setup your ELK stack on Debian.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-elk-stack-8-on-debian-12\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ELK Stack 8 on Debian<\/a><\/p>\n\n\n\n<p>In the guide above, however, we didn&#8217;t cover installation of Logstash. So, once you are done installing Elasticsearch and Kibana, install Logstash. <strong>Ensure that all ELK stack components are of similar version number!<\/strong><\/p>\n\n\n\n<p>We already have ELK stack 8.x repos in place, so let us install Logstash 8;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install logstash<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"integrating-wazuh-manager-with-elk-stack-2\">Integrating Wazuh Manager with ELK Stack<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-logstash\">Install Logstash<\/h4>\n\n\n\n<p>As from Wazuh v4.6.0, Kibana plugins are not supported anymore. Thus, the only way to integrate Wazuh manager with ELK stack is to configure Wazuh manager to sent the security data to Logstash, which processes the data and sent to Elasticsearch indexing and search analytics engine, where you can visualize using Kibana.<\/p>\n\n\n\n<p>We have already provided a command to install Logstash in the step above. So we are good to proceed.<\/p>\n\n\n\n<p>As already mentioned before, this is a single node deployment. Hence, we have all the components, Wazuh manager, Kibana, Elasticsearch and Logstash on the same node. You can consider using a distributed deployment for production environments.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-logstash-elasticsearch-output-plugin\">Install Logstash Elasticsearch output plugin<\/h4>\n\n\n\n<p>In in Logstash, output plugins are used to define where events processed by Logstash should be sent. These plugins determine the destination of the data after it has been filtered and processed. Logstash supports a variety of output plugins to facilitate sending data to different destinations. For example, the Elasticsearch output plugin in Logstash is used to send processed and transformed events to an Elasticsearch cluster.<\/p>\n\n\n\n<p>You can install the plugin on the node running Logstash as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/logstash\/bin\/logstash-plugin install logstash-output-elasticsearch<\/code><\/pre>\n\n\n\n<p>Sample installation output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Using bundled JDK: \/usr\/share\/logstash\/jdk\nValidating logstash-output-elasticsearch\nResolving mixin dependencies\nUpdating mixin dependencies logstash-mixin-ecs_compatibility_support, logstash-mixin-deprecation_logger_support, logstash-mixin-ca_trusted_fingerprint_support, logstash-mixin-normalize_config_support\nBundler attempted to update logstash-mixin-ecs_compatibility_support but its version stayed the same\nBundler attempted to update logstash-mixin-deprecation_logger_support but its version stayed the same\nBundler attempted to update logstash-mixin-ca_trusted_fingerprint_support but its version stayed the same\nBundler attempted to update logstash-mixin-normalize_config_support but its version stayed the same\nInstalling logstash-output-elasticsearch\nInstallation successful\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-elasticsearch-mapping-template\">Install Elasticsearch Mapping Template<\/h4>\n\n\n\n<p>In this step, we will configure Elasticsearch to use a predefined Logstash\/Wazuh mapping template. The mappings define how fields are interpreted by Elasticsearch. This ensures that Elasticsearch can index the Wazuh data collected by Logstash correctly.<\/p>\n\n\n\n<p>To use a custom Elasticsearch mapping template, you define a valid path to the location of the custom template json file on the Logstash Elasticsearch output configuration using the <strong>template<\/strong> option.<\/p>\n\n\n\n<p>Thus, run the command below to install Wazuh Elasticsearch mapping template.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>curl -sL https:\/\/packages.wazuh.com\/integrations\/elastic\/4.x-8.x\/dashboards\/wz-es-4.x-8.x-template.json -o \/etc\/logstash\/wazuh.json\n<\/code><\/pre>\n\n\n\n<p>This is how the template look like by default;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/etc\/logstash\/wazuh.json<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>{\n  \"index_patterns\": \"wazuh-*\",\n  \"template\": {\n    \"settings\": {\n      \"index\": {\n        \"routing\": {\n          \"allocation\": {\n            \"include\": {\n              \"_tier_preference\": \"data_content\"\n            }\n          }\n        },\n        \"mapping\": {\n          \"total_fields\": {\n            \"limit\": \"10000\"\n          }\n        },\n        \"refresh_interval\": \"5s\",\n        \"number_of_shards\": \"3\",\n        \"auto_expand_replicas\": \"0-1\",\n        \"query\": {\n          \"default_field\": [\n            \"GeoLocation.city_name\",\n            \"GeoLocation.continent_code\",\n            \"GeoLocation.country_code2\",\n            \"GeoLocation.country_code3\",\n            \"GeoLocation.country_name\",\n            \"GeoLocation.ip\",\n            \"GeoLocation.postal_code\",\n            \"GeoLocation.real_region_name\",\n            \"GeoLocation.region_name\",\n            \"GeoLocation.timezone\",\n            \"agent.id\",\n            \"agent.ip\",\n            \"agent.name\",\n            \"cluster.name\",\n            \"cluster.node\",\n            \"command\",\n            \"data\",\n            \"data.action\",\n            \"data.audit\",\n            \"data.audit.acct\",\n            \"data.audit.arch\",\n            \"data.audit.auid\",\n            \"data.audit.command\",\n            \"data.audit.cwd\",\n            \"data.audit.dev\",\n            \"data.audit.directory.inode\",\n            \"data.audit.directory.mode\",\n            \"data.audit.directory.name\",\n            \"data.audit.egid\",\n            \"data.audit.enforcing\",\n            \"data.audit.euid\",\n            \"data.audit.exe\",\n            \"data.audit.execve.a0\",\n            \"data.audit.execve.a1\",\n            \"data.audit.execve.a2\",\n            \"data.audit.execve.a3\",\n            \"data.audit.exit\",\n            \"data.audit.file.inode\",\n            \"data.audit.file.mode\",\n            \"data.audit.file.name\",\n            \"data.audit.fsgid\",\n            \"data.audit.fsuid\",\n            \"data.audit.gid\",\n            \"data.audit.id\",\n            \"data.audit.key\",\n            \"data.audit.list\",\n            \"data.audit.old-auid\",\n            \"data.audit.old-ses\",\n            \"data.audit.old_enforcing\",\n            \"data.audit.old_prom\",\n            \"data.audit.op\",\n            \"data.audit.pid\",\n            \"data.audit.ppid\",\n            \"data.audit.prom\",\n            \"data.audit.res\",\n            \"data.audit.session\",\n            \"data.audit.sgid\",\n            \"data.audit.srcip\",\n            \"data.audit.subj\",\n            \"data.audit.success\",\n            \"data.audit.suid\",\n            \"data.audit.syscall\",\n            \"data.audit.tty\",\n            \"data.audit.uid\",\n            \"data.aws.accountId\",\n            \"data.aws.account_id\",\n            \"data.aws.action\",\n            \"data.aws.actor\",\n            \"data.aws.aws_account_id\",\n            \"data.aws.description\",\n            \"data.aws.dstport\",\n            \"data.aws.errorCode\",\n            \"data.aws.errorMessage\",\n            \"data.aws.eventID\",\n            \"data.aws.eventName\",\n            \"data.aws.eventSource\",\n            \"data.aws.eventType\",\n            \"data.aws.id\",\n            \"data.aws.name\",\n            \"data.aws.requestParameters.accessKeyId\",\n            \"data.aws.requestParameters.bucketName\",\n            \"data.aws.requestParameters.gatewayId\",\n            \"data.aws.requestParameters.groupDescription\",\n            \"data.aws.requestParameters.groupId\",\n            \"data.aws.requestParameters.groupName\",\n            \"data.aws.requestParameters.host\",\n            \"data.aws.requestParameters.hostedZoneId\",\n            \"data.aws.requestParameters.instanceId\",\n            \"data.aws.requestParameters.instanceProfileName\",\n            \"data.aws.requestParameters.loadBalancerName\",\n            \"data.aws.requestParameters.loadBalancerPorts\",\n            \"data.aws.requestParameters.masterUserPassword\",\n            \"data.aws.requestParameters.masterUsername\",\n            \"data.aws.requestParameters.name\",\n            \"data.aws.requestParameters.natGatewayId\",\n            \"data.aws.requestParameters.networkAclId\",\n            \"data.aws.requestParameters.path\",\n            \"data.aws.requestParameters.policyName\",\n            \"data.aws.requestParameters.port\",\n            \"data.aws.requestParameters.stackId\",\n            \"data.aws.requestParameters.stackName\",\n            \"data.aws.requestParameters.subnetId\",\n            \"data.aws.requestParameters.subnetIds\",\n            \"data.aws.requestParameters.volumeId\",\n            \"data.aws.requestParameters.vpcId\",\n            \"data.aws.resource.accessKeyDetails.accessKeyId\",\n            \"data.aws.resource.accessKeyDetails.principalId\",\n            \"data.aws.resource.accessKeyDetails.userName\",\n            \"data.aws.resource.instanceDetails.instanceId\",\n            \"data.aws.resource.instanceDetails.instanceState\",\n            \"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\",\n            \"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\",\n            \"data.aws.resource.instanceDetails.networkInterfaces.subnetId\",\n            \"data.aws.resource.instanceDetails.networkInterfaces.vpcId\",\n            \"data.aws.resource.instanceDetails.tags.value\",\n            \"data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId\",\n            \"data.aws.responseElements.description\",\n            \"data.aws.responseElements.instanceId\",\n            \"data.aws.responseElements.instances.instanceId\",\n            \"data.aws.responseElements.instancesSet.items.instanceId\",\n            \"data.aws.responseElements.listeners.port\",\n            \"data.aws.responseElements.loadBalancerName\",\n            \"data.aws.responseElements.loadBalancers.vpcId\",\n            \"data.aws.responseElements.loginProfile.userName\",\n            \"data.aws.responseElements.networkAcl.vpcId\",\n            \"data.aws.responseElements.ownerId\",\n            \"data.aws.responseElements.publicIp\",\n            \"data.aws.responseElements.user.userId\",\n            \"data.aws.responseElements.user.userName\",\n            \"data.aws.responseElements.volumeId\",\n            \"data.aws.service.serviceName\",\n            \"data.aws.severity\",\n            \"data.aws.source\",\n            \"data.aws.sourceIPAddress\",\n            \"data.aws.srcport\",\n            \"data.aws.userIdentity.accessKeyId\",\n            \"data.aws.userIdentity.accountId\",\n            \"data.aws.userIdentity.userName\",\n            \"data.aws.vpcEndpointId\",\n            \"data.command\",\n            \"data.data\",\n            \"data.docker.Actor.Attributes.container\",\n            \"data.docker.Actor.Attributes.image\",\n            \"data.docker.Actor.Attributes.name\",\n            \"data.docker.Actor.ID\",\n            \"data.docker.id\",\n            \"data.docker.message\",\n            \"data.docker.status\",\n            \"data.dstip\",\n            \"data.dstport\",\n            \"data.dstuser\",\n            \"data.extra_data\",\n            \"data.hardware.serial\",\n            \"data.id\",\n            \"data.integration\",\n            \"data.netinfo.iface.adapter\",\n            \"data.netinfo.iface.ipv4.address\",\n            \"data.netinfo.iface.ipv6.address\",\n            \"data.netinfo.iface.mac\",\n            \"data.netinfo.iface.name\",\n            \"data.os.architecture\",\n            \"data.os.build\",\n            \"data.os.codename\",\n            \"data.os.hostname\",\n            \"data.os.major\",\n            \"data.os.minor\",\n            \"data.os.name\",\n            \"data.os.platform\",\n            \"data.os.release\",\n            \"data.os.release_version\",\n            \"data.os.sysname\",\n            \"data.os.version\",\n            \"data.oscap.check.description\",\n            \"data.oscap.check.id\",\n            \"data.oscap.check.identifiers\",\n            \"data.oscap.check.oval.id\",\n            \"data.oscap.check.rationale\",\n            \"data.oscap.check.references\",\n            \"data.oscap.check.result\",\n            \"data.oscap.check.severity\",\n            \"data.oscap.check.title\",\n            \"data.oscap.scan.benchmark.id\",\n            \"data.oscap.scan.content\",\n            \"data.oscap.scan.id\",\n            \"data.oscap.scan.profile.id\",\n            \"data.oscap.scan.profile.title\",\n            \"data.osquery.columns.address\",\n            \"data.osquery.columns.command\",\n            \"data.osquery.columns.description\",\n            \"data.osquery.columns.dst_ip\",\n            \"data.osquery.columns.gid\",\n            \"data.osquery.columns.hostname\",\n            \"data.osquery.columns.md5\",\n            \"data.osquery.columns.path\",\n            \"data.osquery.columns.sha1\",\n            \"data.osquery.columns.sha256\",\n            \"data.osquery.columns.src_ip\",\n            \"data.osquery.columns.user\",\n            \"data.osquery.columns.username\",\n            \"data.osquery.name\",\n            \"data.osquery.pack\",\n            \"data.port.process\",\n            \"data.port.protocol\",\n            \"data.port.state\",\n            \"data.process.args\",\n            \"data.process.cmd\",\n            \"data.process.egroup\",\n            \"data.process.euser\",\n            \"data.process.fgroup\",\n            \"data.process.name\",\n            \"data.process.rgroup\",\n            \"data.process.ruser\",\n            \"data.process.sgroup\",\n            \"data.process.state\",\n            \"data.process.suser\",\n            \"data.program.architecture\",\n            \"data.program.description\",\n            \"data.program.format\",\n            \"data.program.location\",\n            \"data.program.multiarch\",\n            \"data.program.name\",\n            \"data.program.priority\",\n            \"data.program.section\",\n            \"data.program.source\",\n            \"data.program.vendor\",\n            \"data.program.version\",\n            \"data.protocol\",\n            \"data.pwd\",\n            \"data.sca\",\n            \"data.sca.check.compliance.cis\",\n            \"data.sca.check.compliance.cis_csc\",\n            \"data.sca.check.compliance.pci_dss\",\n            \"data.sca.check.compliance.hipaa\",\n            \"data.sca.check.compliance.nist_800_53\",\n            \"data.sca.check.description\",\n            \"data.sca.check.directory\",\n            \"data.sca.check.file\",\n            \"data.sca.check.id\",\n            \"data.sca.check.previous_result\",\n            \"data.sca.check.process\",\n            \"data.sca.check.rationale\",\n            \"data.sca.check.reason\",\n            \"data.sca.check.references\",\n            \"data.sca.check.registry\",\n            \"data.sca.check.remediation\",\n            \"data.sca.check.result\",\n            \"data.sca.check.status\",\n            \"data.sca.check.title\",\n            \"data.sca.description\",\n            \"data.sca.file\",\n            \"data.sca.invalid\",\n            \"data.sca.name\",\n            \"data.sca.policy\",\n            \"data.sca.policy_id\",\n            \"data.sca.scan_id\",\n            \"data.sca.total_checks\",\n            \"data.script\",\n            \"data.src_ip\",\n            \"data.src_port\",\n            \"data.srcip\",\n            \"data.srcport\",\n            \"data.srcuser\",\n            \"data.status\",\n            \"data.system_name\",\n            \"data.title\",\n            \"data.tty\",\n            \"data.uid\",\n            \"data.url\",\n            \"data.virustotal.description\",\n            \"data.virustotal.error\",\n            \"data.virustotal.found\",\n            \"data.virustotal.permalink\",\n            \"data.virustotal.scan_date\",\n            \"data.virustotal.sha1\",\n            \"data.virustotal.source.alert_id\",\n            \"data.virustotal.source.file\",\n            \"data.virustotal.source.md5\",\n            \"data.virustotal.source.sha1\",\n            \"data.vulnerability.cve\",\n            \"data.vulnerability.cvss.cvss2.base_score\",\n            \"data.vulnerability.cvss.cvss2.exploitability_score\",\n            \"data.vulnerability.cvss.cvss2.impact_score\",\n            \"data.vulnerability.cvss.cvss2.vector.access_complexity\",\n            \"data.vulnerability.cvss.cvss2.vector.attack_vector\",\n            \"data.vulnerability.cvss.cvss2.vector.authentication\",\n            \"data.vulnerability.cvss.cvss2.vector.availability\",\n            \"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\",\n            \"data.vulnerability.cvss.cvss2.vector.integrity_impact\",\n            \"data.vulnerability.cvss.cvss2.vector.privileges_required\",\n            \"data.vulnerability.cvss.cvss2.vector.scope\",\n            \"data.vulnerability.cvss.cvss2.vector.user_interaction\",\n            \"data.vulnerability.cvss.cvss3.base_score\",\n            \"data.vulnerability.cvss.cvss3.exploitability_score\",\n            \"data.vulnerability.cvss.cvss3.impact_score\",\n            \"data.vulnerability.cvss.cvss3.vector.access_complexity\",\n            \"data.vulnerability.cvss.cvss3.vector.attack_vector\",\n            \"data.vulnerability.cvss.cvss3.vector.authentication\",\n            \"data.vulnerability.cvss.cvss3.vector.availability\",\n            \"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\",\n            \"data.vulnerability.cvss.cvss3.vector.integrity_impact\",\n            \"data.vulnerability.cvss.cvss3.vector.privileges_required\",\n            \"data.vulnerability.cvss.cvss3.vector.scope\",\n            \"data.vulnerability.cvss.cvss3.vector.user_interaction\",\n            \"data.vulnerability.cwe_reference\",\n            \"data.vulnerability.package.source\",\n            \"data.vulnerability.package.architecture\",\n            \"data.vulnerability.package.condition\",\n            \"data.vulnerability.package.generated_cpe\",\n            \"data.vulnerability.package.name\",\n            \"data.vulnerability.package.version\",\n            \"data.vulnerability.rationale\",\n            \"data.vulnerability.severity\",\n            \"data.vulnerability.title\",\n            \"data.vulnerability.assigner\",\n            \"data.vulnerability.cve_version\",\n            \"data.win.eventdata.auditPolicyChanges\",\n            \"data.win.eventdata.auditPolicyChangesId\",\n            \"data.win.eventdata.binary\",\n            \"data.win.eventdata.category\",\n            \"data.win.eventdata.categoryId\",\n            \"data.win.eventdata.data\",\n            \"data.win.eventdata.image\",\n            \"data.win.eventdata.ipAddress\",\n            \"data.win.eventdata.ipPort\",\n            \"data.win.eventdata.keyName\",\n            \"data.win.eventdata.logonGuid\",\n            \"data.win.eventdata.logonProcessName\",\n            \"data.win.eventdata.operation\",\n            \"data.win.eventdata.parentImage\",\n            \"data.win.eventdata.processId\",\n            \"data.win.eventdata.processName\",\n            \"data.win.eventdata.providerName\",\n            \"data.win.eventdata.returnCode\",\n            \"data.win.eventdata.service\",\n            \"data.win.eventdata.status\",\n            \"data.win.eventdata.subcategory\",\n            \"data.win.eventdata.subcategoryGuid\",\n            \"data.win.eventdata.subcategoryId\",\n            \"data.win.eventdata.subjectDomainName\",\n            \"data.win.eventdata.subjectLogonId\",\n            \"data.win.eventdata.subjectUserName\",\n            \"data.win.eventdata.subjectUserSid\",\n            \"data.win.eventdata.targetDomainName\",\n            \"data.win.eventdata.targetLinkedLogonId\",\n            \"data.win.eventdata.targetLogonId\",\n            \"data.win.eventdata.targetUserName\",\n            \"data.win.eventdata.targetUserSid\",\n            \"data.win.eventdata.workstationName\",\n            \"data.win.system.channel\",\n            \"data.win.system.computer\",\n            \"data.win.system.eventID\",\n            \"data.win.system.eventRecordID\",\n            \"data.win.system.eventSourceName\",\n            \"data.win.system.keywords\",\n            \"data.win.system.level\",\n            \"data.win.system.message\",\n            \"data.win.system.opcode\",\n            \"data.win.system.processID\",\n            \"data.win.system.providerGuid\",\n            \"data.win.system.providerName\",\n            \"data.win.system.securityUserID\",\n            \"data.win.system.severityValue\",\n            \"data.win.system.userID\",\n            \"decoder.ftscomment\",\n            \"decoder.name\",\n            \"decoder.parent\",\n            \"full_log\",\n            \"host\",\n            \"id\",\n            \"input\",\n            \"location\",\n            \"manager.name\",\n            \"message\",\n            \"offset\",\n            \"predecoder.hostname\",\n            \"predecoder.program_name\",\n            \"previous_log\",\n            \"previous_output\",\n            \"program_name\",\n            \"rule.cis\",\n            \"rule.cve\",\n            \"rule.description\",\n            \"rule.gdpr\",\n            \"rule.gpg13\",\n            \"rule.groups\",\n            \"rule.id\",\n            \"rule.info\",\n            \"rule.mitre.id\",\n            \"rule.mitre.tactic\",\n            \"rule.mitre.technique\",\n            \"rule.pci_dss\",\n            \"rule.hipaa\",\n            \"rule.nist_800_53\",\n            \"syscheck.audit.effective_user.id\",\n            \"syscheck.audit.effective_user.name\",\n            \"syscheck.audit.group.id\",\n            \"syscheck.audit.group.name\",\n            \"syscheck.audit.login_user.id\",\n            \"syscheck.audit.login_user.name\",\n            \"syscheck.audit.process.id\",\n            \"syscheck.audit.process.name\",\n            \"syscheck.audit.process.ppid\",\n            \"syscheck.audit.user.id\",\n            \"syscheck.audit.user.name\",\n            \"syscheck.diff\",\n            \"syscheck.event\",\n            \"syscheck.gid_after\",\n            \"syscheck.gid_before\",\n            \"syscheck.gname_after\",\n            \"syscheck.gname_before\",\n            \"syscheck.inode_after\",\n            \"syscheck.inode_before\",\n            \"syscheck.md5_after\",\n            \"syscheck.md5_before\",\n            \"syscheck.path\",\n            \"syscheck.mode\",\n            \"syscheck.perm_after\",\n            \"syscheck.perm_before\",\n            \"syscheck.sha1_after\",\n            \"syscheck.sha1_before\",\n            \"syscheck.sha256_after\",\n            \"syscheck.sha256_before\",\n            \"syscheck.tags\",\n            \"syscheck.uid_after\",\n            \"syscheck.uid_before\",\n            \"syscheck.uname_after\",\n            \"syscheck.uname_before\",\n            \"title\",\n            \"type\"\n          ]\n        },\n        \"number_of_replicas\": \"0\"\n      }\n    },\n    \"mappings\": {\n      \"dynamic_templates\": [\n        {\n          \"string_as_keyword\": {\n            \"match_mapping_type\": \"string\",\n            \"mapping\": {\n              \"type\": \"keyword\"\n            }\n          }\n        }\n      ],\n      \"date_detection\": false,\n      \"properties\": {\n        \"@timestamp\": {\n          \"type\": \"date\"\n        },\n        \"@version\": {\n          \"type\": \"text\"\n        },\n        \"GeoLocation\": {\n          \"properties\": {\n            \"area_code\": {\n              \"type\": \"long\"\n            },\n            \"city_name\": {\n              \"type\": \"keyword\"\n            },\n            \"continent_code\": {\n              \"type\": \"text\"\n            },\n            \"coordinates\": {\n              \"type\": \"double\"\n            },\n            \"country_code2\": {\n              \"type\": \"text\"\n            },\n            \"country_code3\": {\n              \"type\": \"text\"\n            },\n            \"country_name\": {\n              \"type\": \"keyword\"\n            },\n            \"dma_code\": {\n              \"type\": \"long\"\n            },\n            \"ip\": {\n              \"type\": \"keyword\"\n            },\n            \"latitude\": {\n              \"type\": \"double\"\n            },\n            \"location\": {\n              \"type\": \"geo_point\"\n            },\n            \"longitude\": {\n              \"type\": \"double\"\n            },\n            \"postal_code\": {\n              \"type\": \"keyword\"\n            },\n            \"real_region_name\": {\n              \"type\": \"keyword\"\n            },\n            \"region_name\": {\n              \"type\": \"keyword\"\n            },\n            \"timezone\": {\n              \"type\": \"text\"\n            }\n          }\n        },\n        \"agent\": {\n          \"properties\": {\n            \"id\": {\n              \"type\": \"keyword\"\n            },\n            \"ip\": {\n              \"type\": \"keyword\"\n            },\n            \"name\": {\n              \"type\": \"keyword\"\n            }\n          }\n        },\n        \"cluster\": {\n          \"properties\": {\n            \"name\": {\n              \"type\": \"keyword\"\n            },\n            \"node\": {\n              \"type\": \"keyword\"\n            }\n          }\n        },\n        \"command\": {\n          \"type\": \"keyword\"\n        },\n        \"data\": {\n          \"properties\": {\n            \"action\": {\n              \"type\": \"keyword\"\n            },\n            \"audit\": {\n              \"properties\": {\n                \"acct\": {\n                  \"type\": \"keyword\"\n                },\n                \"arch\": {\n                  \"type\": \"keyword\"\n                },\n                \"auid\": {\n                  \"type\": \"keyword\"\n                },\n                \"command\": {\n                  \"type\": \"keyword\"\n                },\n                \"cwd\": {\n                  \"type\": \"keyword\"\n                },\n                \"dev\": {\n                  \"type\": \"keyword\"\n                },\n                \"directory\": {\n                  \"properties\": {\n                    \"inode\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"mode\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"name\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"egid\": {\n                  \"type\": \"keyword\"\n                },\n                \"enforcing\": {\n                  \"type\": \"keyword\"\n                },\n                \"euid\": {\n                  \"type\": \"keyword\"\n                },\n                \"exe\": {\n                  \"type\": \"keyword\"\n                },\n                \"execve\": {\n                  \"properties\": {\n                    \"a0\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"a1\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"a2\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"a3\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"exit\": {\n                  \"type\": \"keyword\"\n                },\n                \"file\": {\n                  \"properties\": {\n                    \"inode\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"mode\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"name\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"fsgid\": {\n                  \"type\": \"keyword\"\n                },\n                \"fsuid\": {\n                  \"type\": \"keyword\"\n                },\n                \"gid\": {\n                  \"type\": \"keyword\"\n                },\n                \"id\": {\n                  \"type\": \"keyword\"\n                },\n                \"key\": {\n                  \"type\": \"keyword\"\n                },\n                \"list\": {\n                  \"type\": \"keyword\"\n                },\n                \"old-auid\": {\n                  \"type\": \"keyword\"\n                },\n                \"old-ses\": {\n                  \"type\": \"keyword\"\n                },\n                \"old_enforcing\": {\n                  \"type\": \"keyword\"\n                },\n                \"old_prom\": {\n                  \"type\": \"keyword\"\n                },\n                \"op\": {\n                  \"type\": \"keyword\"\n                },\n                \"pid\": {\n                  \"type\": \"keyword\"\n                },\n                \"ppid\": {\n                  \"type\": \"keyword\"\n                },\n                \"prom\": {\n                  \"type\": \"keyword\"\n                },\n                \"res\": {\n                  \"type\": \"keyword\"\n                },\n                \"session\": {\n                  \"type\": \"keyword\"\n                },\n                \"sgid\": {\n                  \"type\": \"keyword\"\n                },\n                \"srcip\": {\n                  \"type\": \"keyword\"\n                },\n                \"subj\": {\n                  \"type\": \"keyword\"\n                },\n                \"success\": {\n                  \"type\": \"keyword\"\n                },\n                \"suid\": {\n                  \"type\": \"keyword\"\n                },\n                \"syscall\": {\n                  \"type\": \"keyword\"\n                },\n                \"tty\": {\n                  \"type\": \"keyword\"\n                },\n                \"type\": {\n                  \"type\": \"keyword\"\n                },\n                \"uid\": {\n                  \"type\": \"keyword\"\n                }\n              }\n            },\n            \"aws\": {\n              \"properties\": {\n                \"accountId\": {\n                  \"type\": \"keyword\"\n                },\n                \"bytes\": {\n                  \"type\": \"long\"\n                },\n                \"createdAt\": {\n                  \"type\": \"date\"\n                },\n                \"dstaddr\": {\n                  \"type\": \"ip\"\n                },\n                \"end\": {\n                  \"type\": \"date\"\n                },\n                \"log_info\": {\n                  \"properties\": {\n                    \"s3bucket\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"region\": {\n                  \"type\": \"keyword\"\n                },\n                \"resource\": {\n                  \"properties\": {\n                    \"instanceDetails\": {\n                      \"properties\": {\n                        \"launchTime\": {\n                          \"type\": \"date\"\n                        },\n                        \"networkInterfaces\": {\n                          \"properties\": {\n                            \"privateIpAddress\": {\n                              \"type\": \"ip\"\n                            },\n                            \"publicIp\": {\n                              \"type\": \"ip\"\n                            }\n                          }\n                        }\n                      }\n                    }\n                  }\n                },\n                \"service\": {\n                  \"properties\": {\n                    \"action\": {\n                      \"properties\": {\n                        \"networkConnectionAction\": {\n                          \"properties\": {\n                            \"remoteIpDetails\": {\n                              \"properties\": {\n                                \"geoLocation\": {\n                                  \"type\": \"geo_point\"\n                                },\n                                \"ipAddressV4\": {\n                                  \"type\": \"ip\"\n                                }\n                              }\n                            }\n                          }\n                        }\n                      }\n                    },\n                    \"count\": {\n                      \"type\": \"long\"\n                    },\n                    \"eventFirstSeen\": {\n                      \"type\": \"date\"\n                    },\n                    \"eventLastSeen\": {\n                      \"type\": \"date\"\n                    }\n                  }\n                },\n                \"source\": {\n                  \"type\": \"keyword\"\n                },\n                \"source_ip_address\": {\n                  \"type\": \"ip\"\n                },\n                \"srcaddr\": {\n                  \"type\": \"ip\"\n                },\n                \"start\": {\n                  \"type\": \"date\"\n                },\n                \"updatedAt\": {\n                  \"type\": \"date\"\n                }\n              }\n            },\n            \"cis\": {\n              \"properties\": {\n                \"benchmark\": {\n                  \"type\": \"keyword\"\n                },\n                \"error\": {\n                  \"type\": \"long\"\n                },\n                \"fail\": {\n                  \"type\": \"long\"\n                },\n                \"group\": {\n                  \"type\": \"keyword\"\n                },\n                \"notchecked\": {\n                  \"type\": \"long\"\n                },\n                \"pass\": {\n                  \"type\": \"long\"\n                },\n                \"result\": {\n                  \"type\": \"keyword\"\n                },\n                \"rule_title\": {\n                  \"type\": \"keyword\"\n                },\n                \"score\": {\n                  \"type\": \"long\"\n                },\n                \"timestamp\": {\n                  \"type\": \"keyword\"\n                },\n                \"unknown\": {\n                  \"type\": \"long\"\n                }\n              }\n            },\n            \"command\": {\n              \"type\": \"keyword\"\n            },\n            \"data\": {\n              \"type\": \"keyword\"\n            },\n            \"docker\": {\n              \"properties\": {\n                \"Action\": {\n                  \"type\": \"keyword\"\n                },\n                \"Actor\": {\n                  \"properties\": {\n                    \"Attributes\": {\n                      \"properties\": {\n                        \"image\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"name\": {\n                          \"type\": \"keyword\"\n                        }\n                      }\n                    }\n                  }\n                },\n                \"Type\": {\n                  \"type\": \"keyword\"\n                }\n              }\n            },\n            \"dstip\": {\n              \"type\": \"keyword\"\n            },\n            \"dstport\": {\n              \"type\": \"keyword\"\n            },\n            \"dstuser\": {\n              \"type\": \"keyword\"\n            },\n            \"extra_data\": {\n              \"type\": \"keyword\"\n            },\n            \"gcp\": {\n              \"properties\": {\n                \"jsonPayload\": {\n                  \"properties\": {\n                    \"authAnswer\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"queryName\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"responseCode\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"vmInstanceId\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"vmInstanceName\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"resource\": {\n                  \"properties\": {\n                    \"labels\": {\n                      \"properties\": {\n                        \"location\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"project_id\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"source_type\": {\n                          \"type\": \"keyword\"\n                        }\n                      }\n                    },\n                    \"type\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"severity\": {\n                  \"type\": \"keyword\"\n                }\n              }\n            },\n            \"github\": {\n              \"properties\": {\n                \"action\": {\n                  \"type\": \"keyword\"\n                },\n                \"actor\": {\n                  \"type\": \"keyword\"\n                },\n                \"actor_location\": {\n                  \"properties\": {\n                    \"country_code\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"org\": {\n                  \"type\": \"keyword\"\n                },\n                \"repo\": {\n                  \"type\": \"keyword\"\n                }\n              }\n            },\n            \"hardware\": {\n              \"properties\": {\n                \"cpu_cores\": {\n                  \"type\": \"long\"\n                },\n                \"cpu_mhz\": {\n                  \"type\": \"double\"\n                },\n                \"cpu_name\": {\n                  \"type\": \"keyword\"\n                },\n                \"ram_free\": {\n                  \"type\": \"long\"\n                },\n                \"ram_total\": {\n                  \"type\": \"long\"\n                },\n                \"ram_usage\": {\n                  \"type\": \"long\"\n                },\n                \"serial\": {\n                  \"type\": \"keyword\"\n                }\n              }\n            },\n            \"id\": {\n              \"type\": \"keyword\"\n            },\n            \"integration\": {\n              \"type\": \"keyword\"\n            },\n            \"netinfo\": {\n              \"properties\": {\n                \"iface\": {\n                  \"properties\": {\n                    \"adapter\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"ipv4\": {\n                      \"properties\": {\n                        \"address\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"broadcast\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"dhcp\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"gateway\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"metric\": {\n                          \"type\": \"long\"\n                        },\n                        \"netmask\": {\n                          \"type\": \"keyword\"\n                        }\n                      }\n                    },\n                    \"ipv6\": {\n                      \"properties\": {\n                        \"address\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"broadcast\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"dhcp\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"gateway\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"metric\": {\n                          \"type\": \"long\"\n                        },\n                        \"netmask\": {\n                          \"type\": \"keyword\"\n                        }\n                      }\n                    },\n                    \"mac\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"mtu\": {\n                      \"type\": \"long\"\n                    },\n                    \"name\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"rx_bytes\": {\n                      \"type\": \"long\"\n                    },\n                    \"rx_dropped\": {\n                      \"type\": \"long\"\n                    },\n                    \"rx_errors\": {\n                      \"type\": \"long\"\n                    },\n                    \"rx_packets\": {\n                      \"type\": \"long\"\n                    },\n                    \"state\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"tx_bytes\": {\n                      \"type\": \"long\"\n                    },\n                    \"tx_dropped\": {\n                      \"type\": \"long\"\n                    },\n                    \"tx_errors\": {\n                      \"type\": \"long\"\n                    },\n                    \"tx_packets\": {\n                      \"type\": \"long\"\n                    },\n                    \"type\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                }\n              }\n            },\n            \"office365\": {\n              \"properties\": {\n                \"Actor\": {\n                  \"properties\": {\n                    \"ID\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"ClientIP\": {\n                  \"type\": \"keyword\"\n                },\n                \"Operation\": {\n                  \"type\": \"keyword\"\n                },\n                \"ResultStatus\": {\n                  \"type\": \"keyword\"\n                },\n                \"Subscription\": {\n                  \"type\": \"keyword\"\n                },\n                \"UserId\": {\n                  \"type\": \"keyword\"\n                }\n              }\n            },\n            \"os\": {\n              \"properties\": {\n                \"architecture\": {\n                  \"type\": \"keyword\"\n                },\n                \"build\": {\n                  \"type\": \"keyword\"\n                },\n                \"codename\": {\n                  \"type\": \"keyword\"\n                },\n                \"display_version\": {\n                  \"type\": \"keyword\"\n                },\n                \"hostname\": {\n                  \"type\": \"keyword\"\n                },\n                \"major\": {\n                  \"type\": \"keyword\"\n                },\n                \"minor\": {\n                  \"type\": \"keyword\"\n                },\n                \"name\": {\n                  \"type\": \"keyword\"\n                },\n                \"patch\": {\n                  \"type\": \"keyword\"\n                },\n                \"platform\": {\n                  \"type\": \"keyword\"\n                },\n                \"release\": {\n                  \"type\": \"keyword\"\n                },\n                \"release_version\": {\n                  \"type\": \"keyword\"\n                },\n                \"sysname\": {\n                  \"type\": \"keyword\"\n                },\n                \"version\": {\n                  \"type\": \"keyword\"\n                }\n              }\n            },\n            \"oscap\": {\n              \"properties\": {\n                \"check\": {\n                  \"properties\": {\n                    \"description\": {\n                      \"type\": \"text\"\n                    },\n                    \"id\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"identifiers\": {\n                      \"type\": \"text\"\n                    },\n                    \"oval\": {\n                      \"properties\": {\n                        \"id\": {\n                          \"type\": \"keyword\"\n                        }\n                      }\n                    },\n                    \"rationale\": {\n                      \"type\": \"text\"\n                    },\n                    \"references\": {\n                      \"type\": \"text\"\n                    },\n                    \"result\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"severity\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"title\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"scan\": {\n                  \"properties\": {\n                    \"benchmark\": {\n                      \"properties\": {\n                        \"id\": {\n                          \"type\": \"keyword\"\n                        }\n                      }\n                    },\n                    \"content\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"id\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"profile\": {\n                      \"properties\": {\n                        \"id\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"title\": {\n                          \"type\": \"keyword\"\n                        }\n                      }\n                    },\n                    \"return_code\": {\n                      \"type\": \"long\"\n                    },\n                    \"score\": {\n                      \"type\": \"double\"\n                    }\n                  }\n                }\n              }\n            },\n            \"osquery\": {\n              \"properties\": {\n                \"action\": {\n                  \"type\": \"keyword\"\n                },\n                \"calendarTime\": {\n                  \"type\": \"keyword\"\n                },\n                \"name\": {\n                  \"type\": \"keyword\"\n                },\n                \"pack\": {\n                  \"type\": \"keyword\"\n                }\n              }\n            },\n            \"port\": {\n              \"properties\": {\n                \"inode\": {\n                  \"type\": \"long\"\n                },\n                \"local_ip\": {\n                  \"type\": \"ip\"\n                },\n                \"local_port\": {\n                  \"type\": \"long\"\n                },\n                \"pid\": {\n                  \"type\": \"long\"\n                },\n                \"process\": {\n                  \"type\": \"keyword\"\n                },\n                \"protocol\": {\n                  \"type\": \"keyword\"\n                },\n                \"remote_ip\": {\n                  \"type\": \"ip\"\n                },\n                \"remote_port\": {\n                  \"type\": \"long\"\n                },\n                \"rx_queue\": {\n                  \"type\": \"long\"\n                },\n                \"state\": {\n                  \"type\": \"keyword\"\n                },\n                \"tx_queue\": {\n                  \"type\": \"long\"\n                }\n              }\n            },\n            \"process\": {\n              \"properties\": {\n                \"args\": {\n                  \"type\": \"keyword\"\n                },\n                \"cmd\": {\n                  \"type\": \"keyword\"\n                },\n                \"egroup\": {\n                  \"type\": \"keyword\"\n                },\n                \"euser\": {\n                  \"type\": \"keyword\"\n                },\n                \"fgroup\": {\n                  \"type\": \"keyword\"\n                },\n                \"name\": {\n                  \"type\": \"keyword\"\n                },\n                \"nice\": {\n                  \"type\": \"long\"\n                },\n                \"nlwp\": {\n                  \"type\": \"long\"\n                },\n                \"pgrp\": {\n                  \"type\": \"long\"\n                },\n                \"pid\": {\n                  \"type\": \"long\"\n                },\n                \"ppid\": {\n                  \"type\": \"long\"\n                },\n                \"priority\": {\n                  \"type\": \"long\"\n                },\n                \"processor\": {\n                  \"type\": \"long\"\n                },\n                \"resident\": {\n                  \"type\": \"long\"\n                },\n                \"rgroup\": {\n                  \"type\": \"keyword\"\n                },\n                \"ruser\": {\n                  \"type\": \"keyword\"\n                },\n                \"session\": {\n                  \"type\": \"long\"\n                },\n                \"sgroup\": {\n                  \"type\": \"keyword\"\n                },\n                \"share\": {\n                  \"type\": \"long\"\n                },\n                \"size\": {\n                  \"type\": \"long\"\n                },\n                \"start_time\": {\n                  \"type\": \"long\"\n                },\n                \"state\": {\n                  \"type\": \"keyword\"\n                },\n                \"stime\": {\n                  \"type\": \"long\"\n                },\n                \"suser\": {\n                  \"type\": \"keyword\"\n                },\n                \"tgid\": {\n                  \"type\": \"long\"\n                },\n                \"tty\": {\n                  \"type\": \"long\"\n                },\n                \"utime\": {\n                  \"type\": \"long\"\n                },\n                \"vm_size\": {\n                  \"type\": \"long\"\n                }\n              }\n            },\n            \"program\": {\n              \"properties\": {\n                \"architecture\": {\n                  \"type\": \"keyword\"\n                },\n                \"description\": {\n                  \"type\": \"keyword\"\n                },\n                \"format\": {\n                  \"type\": \"keyword\"\n                },\n                \"install_time\": {\n                  \"type\": \"keyword\"\n                },\n                \"location\": {\n                  \"type\": \"keyword\"\n                },\n                \"multiarch\": {\n                  \"type\": \"keyword\"\n                },\n                \"name\": {\n                  \"type\": \"keyword\"\n                },\n                \"priority\": {\n                  \"type\": \"keyword\"\n                },\n                \"section\": {\n                  \"type\": \"keyword\"\n                },\n                \"size\": {\n                  \"type\": \"long\"\n                },\n                \"source\": {\n                  \"type\": \"keyword\"\n                },\n                \"vendor\": {\n                  \"type\": \"keyword\"\n                },\n                \"version\": {\n                  \"type\": \"keyword\"\n                }\n              }\n            },\n            \"protocol\": {\n              \"type\": \"keyword\"\n            },\n            \"sca\": {\n              \"properties\": {\n                \"check\": {\n                  \"properties\": {\n                    \"compliance\": {\n                      \"properties\": {\n                        \"cis\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"cis_csc\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"hipaa\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"nist_800_53\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"pci_dss\": {\n                          \"type\": \"keyword\"\n                        }\n                      }\n                    },\n                    \"description\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"directory\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"file\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"id\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"previous_result\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"process\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"rationale\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"reason\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"references\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"registry\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"remediation\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"result\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"title\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"description\": {\n                  \"type\": \"keyword\"\n                },\n                \"failed\": {\n                  \"type\": \"integer\"\n                },\n                \"file\": {\n                  \"type\": \"keyword\"\n                },\n                \"invalid\": {\n                  \"type\": \"keyword\"\n                },\n                \"name\": {\n                  \"type\": \"keyword\"\n                },\n                \"passed\": {\n                  \"type\": \"integer\"\n                },\n                \"policy\": {\n                  \"type\": \"keyword\"\n                },\n                \"policy_id\": {\n                  \"type\": \"keyword\"\n                },\n                \"scan_id\": {\n                  \"type\": \"keyword\"\n                },\n                \"score\": {\n                  \"type\": \"long\"\n                },\n                \"total_checks\": {\n                  \"type\": \"keyword\"\n                },\n                \"type\": {\n                  \"type\": \"keyword\"\n                }\n              }\n            },\n            \"srcip\": {\n              \"type\": \"keyword\"\n            },\n            \"srcport\": {\n              \"type\": \"keyword\"\n            },\n            \"srcuser\": {\n              \"type\": \"keyword\"\n            },\n            \"status\": {\n              \"type\": \"keyword\"\n            },\n            \"system_name\": {\n              \"type\": \"keyword\"\n            },\n            \"timestamp\": {\n              \"type\": \"date\"\n            },\n            \"title\": {\n              \"type\": \"keyword\"\n            },\n            \"type\": {\n              \"type\": \"keyword\"\n            },\n            \"uid\": {\n              \"type\": \"keyword\"\n            },\n            \"url\": {\n              \"type\": \"keyword\"\n            },\n            \"virustotal\": {\n              \"properties\": {\n                \"description\": {\n                  \"type\": \"keyword\"\n                },\n                \"error\": {\n                  \"type\": \"keyword\"\n                },\n                \"found\": {\n                  \"type\": \"keyword\"\n                },\n                \"malicious\": {\n                  \"type\": \"keyword\"\n                },\n                \"permalink\": {\n                  \"type\": \"keyword\"\n                },\n                \"positives\": {\n                  \"type\": \"keyword\"\n                },\n                \"scan_date\": {\n                  \"type\": \"keyword\"\n                },\n                \"sha1\": {\n                  \"type\": \"keyword\"\n                },\n                \"source\": {\n                  \"properties\": {\n                    \"alert_id\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"file\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"md5\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"sha1\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"total\": {\n                  \"type\": \"keyword\"\n                }\n              }\n            },\n            \"vulnerability\": {\n              \"properties\": {\n                \"assigner\": {\n                  \"type\": \"keyword\"\n                },\n                \"cve\": {\n                  \"type\": \"keyword\"\n                },\n                \"cve_version\": {\n                  \"type\": \"keyword\"\n                },\n                \"cvss\": {\n                  \"properties\": {\n                    \"cvss2\": {\n                      \"properties\": {\n                        \"base_score\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"exploitability_score\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"impact_score\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"vector\": {\n                          \"properties\": {\n                            \"access_complexity\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"attack_vector\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"authentication\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"availability\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"confidentiality_impact\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"integrity_impact\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"privileges_required\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"scope\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"user_interaction\": {\n                              \"type\": \"keyword\"\n                            }\n                          }\n                        }\n                      }\n                    },\n                    \"cvss3\": {\n                      \"properties\": {\n                        \"base_score\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"exploitability_score\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"impact_score\": {\n                          \"type\": \"keyword\"\n                        },\n                        \"vector\": {\n                          \"properties\": {\n                            \"access_complexity\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"attack_vector\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"authentication\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"availability\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"confidentiality_impact\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"integrity_impact\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"privileges_required\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"scope\": {\n                              \"type\": \"keyword\"\n                            },\n                            \"user_interaction\": {\n                              \"type\": \"keyword\"\n                            }\n                          }\n                        }\n                      }\n                    }\n                  }\n                },\n                \"cwe_reference\": {\n                  \"type\": \"keyword\"\n                },\n                \"package\": {\n                  \"properties\": {\n                    \"architecture\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"condition\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"generated_cpe\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"name\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"source\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"version\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"published\": {\n                  \"type\": \"date\"\n                },\n                \"rationale\": {\n                  \"type\": \"keyword\"\n                },\n                \"severity\": {\n                  \"type\": \"keyword\"\n                },\n                \"title\": {\n                  \"type\": \"keyword\"\n                },\n                \"updated\": {\n                  \"type\": \"date\"\n                }\n              }\n            }\n          }\n        },\n        \"decoder\": {\n          \"properties\": {\n            \"accumulate\": {\n              \"type\": \"long\"\n            },\n            \"fts\": {\n              \"type\": \"long\"\n            },\n            \"ftscomment\": {\n              \"type\": \"keyword\"\n            },\n            \"name\": {\n              \"type\": \"keyword\"\n            },\n            \"parent\": {\n              \"type\": \"keyword\"\n            }\n          }\n        },\n        \"full_log\": {\n          \"type\": \"text\"\n        },\n        \"host\": {\n          \"type\": \"keyword\"\n        },\n        \"id\": {\n          \"type\": \"keyword\"\n        },\n        \"input\": {\n          \"properties\": {\n            \"type\": {\n              \"type\": \"keyword\"\n            }\n          }\n        },\n        \"location\": {\n          \"type\": \"keyword\"\n        },\n        \"manager\": {\n          \"properties\": {\n            \"name\": {\n              \"type\": \"keyword\"\n            }\n          }\n        },\n        \"message\": {\n          \"type\": \"text\"\n        },\n        \"offset\": {\n          \"type\": \"keyword\"\n        },\n        \"predecoder\": {\n          \"properties\": {\n            \"hostname\": {\n              \"type\": \"keyword\"\n            },\n            \"program_name\": {\n              \"type\": \"keyword\"\n            },\n            \"timestamp\": {\n              \"type\": \"keyword\"\n            }\n          }\n        },\n        \"previous_log\": {\n          \"type\": \"text\"\n        },\n        \"previous_output\": {\n          \"type\": \"keyword\"\n        },\n        \"program_name\": {\n          \"type\": \"keyword\"\n        },\n        \"rule\": {\n          \"properties\": {\n            \"cis\": {\n              \"type\": \"keyword\"\n            },\n            \"cve\": {\n              \"type\": \"keyword\"\n            },\n            \"description\": {\n              \"type\": \"keyword\"\n            },\n            \"firedtimes\": {\n              \"type\": \"long\"\n            },\n            \"frequency\": {\n              \"type\": \"long\"\n            },\n            \"gdpr\": {\n              \"type\": \"keyword\"\n            },\n            \"gpg13\": {\n              \"type\": \"keyword\"\n            },\n            \"groups\": {\n              \"type\": \"keyword\"\n            },\n            \"hipaa\": {\n              \"type\": \"keyword\"\n            },\n            \"id\": {\n              \"type\": \"keyword\"\n            },\n            \"info\": {\n              \"type\": \"keyword\"\n            },\n            \"level\": {\n              \"type\": \"long\"\n            },\n            \"mail\": {\n              \"type\": \"boolean\"\n            },\n            \"mitre\": {\n              \"properties\": {\n                \"id\": {\n                  \"type\": \"keyword\"\n                },\n                \"tactic\": {\n                  \"type\": \"keyword\"\n                },\n                \"technique\": {\n                  \"type\": \"keyword\"\n                }\n              }\n            },\n            \"nist_800_53\": {\n              \"type\": \"keyword\"\n            },\n            \"pci_dss\": {\n              \"type\": \"keyword\"\n            },\n            \"tsc\": {\n              \"type\": \"keyword\"\n            }\n          }\n        },\n        \"syscheck\": {\n          \"properties\": {\n            \"audit\": {\n              \"properties\": {\n                \"effective_user\": {\n                  \"properties\": {\n                    \"id\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"name\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"group\": {\n                  \"properties\": {\n                    \"id\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"name\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"login_user\": {\n                  \"properties\": {\n                    \"id\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"name\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"process\": {\n                  \"properties\": {\n                    \"id\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"name\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"ppid\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                },\n                \"user\": {\n                  \"properties\": {\n                    \"id\": {\n                      \"type\": \"keyword\"\n                    },\n                    \"name\": {\n                      \"type\": \"keyword\"\n                    }\n                  }\n                }\n              }\n            },\n            \"diff\": {\n              \"type\": \"keyword\"\n            },\n            \"event\": {\n              \"type\": \"keyword\"\n            },\n            \"gid_after\": {\n              \"type\": \"keyword\"\n            },\n            \"gid_before\": {\n              \"type\": \"keyword\"\n            },\n            \"gname_after\": {\n              \"type\": \"keyword\"\n            },\n            \"gname_before\": {\n              \"type\": \"keyword\"\n            },\n            \"hard_links\": {\n              \"type\": \"keyword\"\n            },\n            \"inode_after\": {\n              \"type\": \"keyword\"\n            },\n            \"inode_before\": {\n              \"type\": \"keyword\"\n            },\n            \"md5_after\": {\n              \"type\": \"keyword\"\n            },\n            \"md5_before\": {\n              \"type\": \"keyword\"\n            },\n            \"mode\": {\n              \"type\": \"keyword\"\n            },\n            \"mtime_after\": {\n              \"type\": \"date\",\n              \"format\": \"date_optional_time\"\n            },\n            \"mtime_before\": {\n              \"type\": \"date\",\n              \"format\": \"date_optional_time\"\n            },\n            \"path\": {\n              \"type\": \"keyword\"\n            },\n            \"perm_after\": {\n              \"type\": \"keyword\"\n            },\n            \"perm_before\": {\n              \"type\": \"keyword\"\n            },\n            \"sha1_after\": {\n              \"type\": \"keyword\"\n            },\n            \"sha1_before\": {\n              \"type\": \"keyword\"\n            },\n            \"sha256_after\": {\n              \"type\": \"keyword\"\n            },\n            \"sha256_before\": {\n              \"type\": \"keyword\"\n            },\n            \"size_after\": {\n              \"type\": \"long\"\n            },\n            \"size_before\": {\n              \"type\": \"long\"\n            },\n            \"tags\": {\n              \"type\": \"keyword\"\n            },\n            \"uid_after\": {\n              \"type\": \"keyword\"\n            },\n            \"uid_before\": {\n              \"type\": \"keyword\"\n            },\n            \"uname_after\": {\n              \"type\": \"keyword\"\n            },\n            \"uname_before\": {\n              \"type\": \"keyword\"\n            }\n          }\n        },\n        \"timestamp\": {\n          \"type\": \"date\",\n          \"format\": \"date_optional_time||epoch_millis\"\n        },\n        \"title\": {\n          \"type\": \"keyword\"\n        },\n        \"type\": {\n          \"type\": \"text\"\n        }\n      }\n    },\n    \"aliases\": {}\n  },\n  \"version\": 1\n}\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-logstash-to-read-wazuh-data-and-sent-to-elasticsearch\">Configure Logstash to Read Wazuh Data and Sent to Elasticsearch<\/h4>\n\n\n\n<p>Next, you need to configure Logstash to read Wazuh event data. Alert data or information about security alerts that Wazuh has detected\/generated is stored in JSON-formatted file, <strong>\/var\/ossec\/logs\/alerts\/alerts.json<\/strong>. You need to therefore configure Logstash to read this Wazuh alert data using the <strong>input<\/strong> plugin and forward them to Elasticsearch for indexing using the <strong>output<\/strong> plugin.<\/p>\n\n\n\n<p>Therefore, create a Logstash configuration as follows.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/logstash\/conf.d\/wazuh.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>input {\n  file {\n    id => \"wazuh_alerts\"\n    codec => \"json\"\n    start_position => \"beginning\"\n    stat_interval => \"1 second\"\n    path => \"\/var\/ossec\/logs\/alerts\/alerts.json\"\n    mode => \"tail\"\n    ecs_compatibility => \"disabled\"\n  }\n}\n\noutput {\n    elasticsearch {\n         hosts => \"https:\/\/wazuh-elk:9200\"\n         index  => \"wazuh-alerts-4.x-%{+YYYY.MM.dd}\"\n         user => 'elastic'\n         password => 'iXxATQ+do7fYRDKw1XBR'\n         ssl => true\n         cacert => \"\/etc\/logstash\/elastic.ca.pem\"\n         template => \"\/etc\/logstash\/wazuh.json\"\n         template_name => \"wazuh\"\n         template_overwrite => true\n    }\n}\n<\/code><\/pre>\n\n\n\n<p>Where on the INPUT section;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>file<\/strong>: Specifies that Logstash should read data from a file. You need to add <strong>logstash<\/strong> user to <strong>wazuh<\/strong> group to be able to read this file.<\/li>\n\n\n\n<li><strong>id<\/strong>: Unique identifier for this input.<\/li>\n\n\n\n<li><strong>codec<\/strong>: Specifies the codec used for decoding the content of the file. In this case, it&#8217;s set to &#8220;json,&#8221; indicating that the content of the file is in JSON format.<\/li>\n\n\n\n<li><strong>start_position<\/strong>: Sets the position from where Logstash should start reading the file. In this case, it starts from the beginning of the file.<\/li>\n\n\n\n<li><strong>stat_interval<\/strong>: Defines the interval at which Logstash should check the file for updates (every 1 second in this example).<\/li>\n\n\n\n<li><strong>path<\/strong>: Specifies the path to the file Logstash should read.<\/li>\n\n\n\n<li><strong>mode<\/strong>: Sets the file reading mode to &#8220;tail,&#8221; meaning Logstash will read new lines that are appended to the file.<\/li>\n\n\n\n<li><strong>ecs_compatibility<\/strong>: Disables the Elastic Common Schema (ECS) compatibility for the input.<\/li>\n<\/ul>\n\n\n\n<p>On the OUTPUT section;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>elasticsearch:<\/strong> Specifies that Logstash should send the processed data to an Elasticsearch cluster.<\/li>\n\n\n\n<li><strong>hosts:<\/strong> Specifies the Elasticsearch cluster&#8217;s address (in this case, &#8220;<a href=\"https:\/\/wazuh-elk:9200\/\" target=\"_blank\">https:\/\/wazuh-elk:9200<\/a>&#8220;).<\/li>\n\n\n\n<li><strong>index:<\/strong> Defines the index name pattern in Elasticsearch, including a date pattern (<code>%{+YYYY.MM.dd}<\/code>) for daily indices.<\/li>\n\n\n\n<li><strong>user and password:<\/strong> Provide Elasticsearch authentication credentials.<\/li>\n\n\n\n<li><strong>ssl:<\/strong> Enables SSL communication.<\/li>\n\n\n\n<li><strong>cacert:<\/strong> Specifies the path to the CA certificate used for SSL verification.<\/li>\n\n\n\n<li><strong>template:<\/strong> Sets the path to an index template file in Elasticsearch. The template file likely defines the mapping and settings for the Elasticsearch index.<\/li>\n\n\n\n<li><strong>template_name:<\/strong> Specifies the name of the template in Elasticsearch.<\/li>\n\n\n\n<li><strong>template_overwrite:<\/strong> Indicates whether to overwrite an existing template with the same name.<\/li>\n<\/ul>\n\n\n\n<p>As you can see, we have defined the Elastic super user to use in publishing events on the Elasticsearch. You can consider creating a user with specific roles to publish events on the specified index. See more on <a href=\"https:\/\/kifarunix.com\/configure-logstash-elasticsearch-basic-authentication\/#create-required-publishing-roles\">Create Required Publishing Roles for Logstash User<strong>.<\/strong><\/a><\/p>\n\n\n\n<p>You can also consider using variables to store the user credentials instead of storing them in plain text, especially if you are using a super user such as <strong>elastic<\/strong> user as per the <a href=\"https:\/\/www.elastic.co\/guide\/en\/logstash\/current\/keystore.html\" target=\"_blank\" rel=\"noreferrer noopener\">guidance here<\/a>.<\/p>\n\n\n\n<p>Similarly, copy the Elasticsearch CA cert to the specified path.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/etc\/elasticsearch\/certs\/http_ca.crt \/etc\/logstash\/elastic.ca.pem<\/code><\/pre>\n\n\n\n<p>Ensure logstash owns the file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chown logstash: \/etc\/logstash\/elastic.ca.pem<\/code><\/pre>\n\n\n\n<p>As already mentioned, add <strong>logstash<\/strong> user to <strong>wazuh<\/strong> group to be able to read the Wazuh event data.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>usermod -aG wazuh logstash<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"test-validity-of-logstash-configuration\">Test Validity of Logstash Configuration<\/h4>\n\n\n\n<p>Next, check if the Logstash configuration is fine.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo -u logstash \/usr\/share\/logstash\/bin\/logstash --path.settings \/etc\/logstash -t<\/code><\/pre>\n\n\n\n<p>Or to test specific file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo -u logstash \/usr\/share\/logstash\/bin\/logstash --path.settings \/etc\/logstash -t -f \/etc\/logstash\/conf.d\/wazuh.conf<\/code><\/pre>\n\n\n\n<p>If you get, <strong>Configuration OK<\/strong>, in the output, you are good to go.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"running-logstash\">Running Logstash<\/h4>\n\n\n\n<p>Start and enable Logstash to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now logstash<\/code><\/pre>\n\n\n\n<p>Check status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status logstash<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf logstash.service - logstash\n     Loaded: loaded (\/lib\/systemd\/system\/logstash.service; enabled; preset: enabled)\n     Active: active (running) since Sat 2024-03-02 03:11:36 EST; 4s ago\n   Main PID: 3784 (java)\n      Tasks: 26 (limit: 9475)\n     Memory: 405.2M\n        CPU: 12.185s\n     CGroup: \/system.slice\/logstash.service\n             \u2514\u25003784 \/usr\/share\/logstash\/jdk\/bin\/java -XX:+HeapDumpOnOutOfMemoryError -Dlogstash.jackson.stream-read-constraints.max-number-length=10000 --add-opens=java.bas>\n\nMar 02 03:11:36 wazuh-elk systemd[1]: Started logstash.service - logstash.\nMar 02 03:11:36 wazuh-elk logstash[3784]: Using bundled JDK: \/usr\/share\/logstash\/jdk\n<\/code><\/pre>\n\n\n\n<p>Check the logs;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>journalctl -f -u logstash<\/code><\/pre>\n\n\n\n<p>Sample logs;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Mar 02 03:19:43 wazuh-elk logstash[7949]: [2024-03-02T03:19:43,560][INFO ][logstash.outputs.elasticsearch][main] Not eligible for data streams because config contains one or more settings that are not compatible with data streams: {\"template\"=>\"\/etc\/logstash\/wazuh.json\", \"template_name\"=>\"wazuh\", \"template_overwrite\"=>\"true\", \"index\"=>\"wazuh-alerts-4.x-%{+YYYY.MM.dd}\"}\nMar 02 03:19:43 wazuh-elk logstash[7949]: [2024-03-02T03:19:43,561][INFO ][logstash.outputs.elasticsearch][main] Data streams auto configuration (`data_stream => auto` or unset) resolved to `false`\nMar 02 03:19:43 wazuh-elk logstash[7949]: [2024-03-02T03:19:43,599][INFO ][logstash.outputs.elasticsearch][main] Using mapping template from {:path=>\"\/etc\/logstash\/wazuh.json\"}\nMar 02 03:19:43 wazuh-elk logstash[7949]: [2024-03-02T03:19:43,613][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>\"main\", \"pipeline.workers\"=>4, \"pipeline.batch.size\"=>125, \"pipeline.batch.delay\"=>50, \"pipeline.max_inflight\"=>500, \"pipeline.sources\"=>[\"\/etc\/logstash\/conf.d\/wazuh.conf\"], :thread=>\"#<Thread:0x6c5eeefc \/usr\/share\/logstash\/logstash-core\/lib\/logstash\/java_pipeline.rb:134 run>\"}\nMar 02 03:19:43 wazuh-elk logstash[7949]: [2024-03-02T03:19:43,624][INFO ][logstash.outputs.elasticsearch][main] Installing Elasticsearch template {:name=>\"wazuh\"}\nMar 02 03:19:43 wazuh-elk logstash[7949]: [2024-03-02T03:19:43,954][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {\"seconds\"=>0.34}\nMar 02 03:19:43 wazuh-elk logstash[7949]: [2024-03-02T03:19:43,959][INFO ][logstash.inputs.file     ][main] No sincedb_path set, generating one based on the \"path\" setting {:sincedb_path=>\"\/var\/lib\/logstash\/plugins\/inputs\/file\/.sincedb_b6991da130c0919d87fbe36c3e98e363\", :path=>[\"\/var\/ossec\/logs\/alerts\/alerts.json\"]}\nMar 02 03:19:43 wazuh-elk logstash[7949]: [2024-03-02T03:19:43,962][INFO ][logstash.javapipeline    ][main] Pipeline started {\"pipeline.id\"=>\"main\"}\nMar 02 03:19:43 wazuh-elk logstash[7949]: [2024-03-02T03:19:43,968][INFO ][filewatch.observingtail  ][main][wazuh_alerts] START, creating Discoverer, Watch with file and sincedb collections\nMar 02 03:19:43 wazuh-elk logstash[7949]: [2024-03-02T03:19:43,981][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-wazuh-alerts-index-creation-on-elasticsearch-via-kibana\">Verify Wazuh Alerts Index Creation on Elasticsearch via Kibana<\/h4>\n\n\n\n<p>You can now access Kibana via the url <code><strong>https:\/\/&lt;server-IP-or-hostname&gt;:5601<\/strong><\/code> and check status of the Wazuh alerts indices:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Login to Kibana using your admin credentials<\/li>\n\n\n\n<li>Navigate to &nbsp;<strong>\u2630<\/strong>&nbsp;&gt;&nbsp;<strong>Management<\/strong>&nbsp;&gt;&nbsp;<strong>Stack Management &gt; Data &gt; Index Management<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p>You should be able to see Wazuh alerts index pattern created.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/wazuh-alerts-index-pattern.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20307&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1621,&quot;targetHeight&quot;:498,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image: Integrate Wazuh Manager with ELK Stack&quot;,&quot;alt&quot;:&quot;Integrate Wazuh Manager with ELK Stack&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1621\" height=\"498\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/wazuh-alerts-index-pattern.png?v=1709368561\" alt=\"Integrate Wazuh Manager with ELK Stack\" class=\"wp-image-20307\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/wazuh-alerts-index-pattern.png?v=1709368561 1621w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/wazuh-alerts-index-pattern-768x236.png?v=1709368561 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/wazuh-alerts-index-pattern-1536x472.png?v=1709368561 1536w\" sizes=\"(max-width: 1621px) 100vw, 1621px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image: Integrate Wazuh Manager with ELK Stack\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-wazuh-index-patterns-on-kibana\">Create Wazuh Index patterns on Kibana<\/h4>\n\n\n\n<p>From the management interface above;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to&nbsp;<strong>Kibana<\/strong>&nbsp;&gt;&nbsp;<strong>Data Views<\/strong>&nbsp;and select&nbsp;<strong>Create data view<\/strong>.<\/li>\n\n\n\n<li>Enter a name [optional] for the data view and define&nbsp;<code>wazuh-alerts-*<\/code>&nbsp;as the index pattern name.<\/li>\n\n\n\n<li>Select&nbsp;<strong>timestamp<\/strong>&nbsp;in the&nbsp;<strong>Timestamp fields<\/strong>&nbsp;dropdown menu. Then&nbsp;<strong>Save data view to Kibana<\/strong>.<\/li>\n<\/ul>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/create-wazuh-alerts-kibana-index-pattern.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20308&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1604,&quot;targetHeight&quot;:802,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image&quot;,&quot;alt&quot;:&quot;&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1604\" height=\"802\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/create-wazuh-alerts-kibana-index-pattern.png?v=1709368589\" alt=\"\" class=\"wp-image-20308\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/create-wazuh-alerts-kibana-index-pattern.png?v=1709368589 1604w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/create-wazuh-alerts-kibana-index-pattern-768x384.png?v=1709368589 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/create-wazuh-alerts-kibana-index-pattern-1536x768.png?v=1709368589 1536w\" sizes=\"(max-width: 1604px) 100vw, 1604px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p>Next, verify data on the Kibana discover tab; Select&nbsp;<strong>\u2630<\/strong>&nbsp;&gt;&nbsp;<strong>Analytics<\/strong>&nbsp;&gt;&nbsp;<strong>Discover<\/strong>, select <strong>wazuh-alerts-*<\/strong> index pattern to view the data. Adjust the time range accordingly.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/verify-data-on-wazuh-alerts-index.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20309&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1621,&quot;targetHeight&quot;:802,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image&quot;,&quot;alt&quot;:&quot;&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1621\" height=\"802\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/verify-data-on-wazuh-alerts-index.png?v=1709368604\" alt=\"\" class=\"wp-image-20309\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/verify-data-on-wazuh-alerts-index.png?v=1709368604 1621w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/verify-data-on-wazuh-alerts-index-768x380.png?v=1709368604 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/verify-data-on-wazuh-alerts-index-1536x760.png?v=1709368604 1536w\" sizes=\"(max-width: 1621px) 100vw, 1621px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"import-wazuh-elastic-dashboards\">Import Wazuh Elastic Dashboards<\/h4>\n\n\n\n<p>Wazuh provides several&nbsp;dashboards for Elastic Stack for visualizing the data.<\/p>\n\n\n\n<p>You can <a href=\"https:\/\/packages.wazuh.com\/integrations\/elastic\/4.x-8.x\/dashboards\/wz-es-4.x-8.x-dashboards.ndjson\" target=\"_blank\" rel=\"noreferrer noopener\">download<\/a> the dashboards;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>curl -Ls https:\/\/packages.wazuh.com\/integrations\/elastic\/4.x-8.x\/dashboards\/wz-es-4.x-8.x-dashboards.ndjson -o wazuh-dashboards.ndjson\n<\/code><\/pre>\n\n\n\n<p>You can them import from command line;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>curl -k -XPOST \"http:\/\/wazuh-elk:5601\/api\/saved_objects\/_import\" \\\n        -H \"kbn-xsrf: true\" \\\n        --form file=@wazuh-dashboards.ndjson \\\n        -u elastic\n<\/code><\/pre>\n\n\n\n<p>Or from Kibana saved Objects (<strong>Management<\/strong>&nbsp;&gt;&nbsp;<strong>Stack management<\/strong> &gt; <strong>Saved Objects<\/strong>&nbsp;and click&nbsp;<strong>Import<\/strong>, select your json file and import).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"viewing-wazuh-dashboards-on-kibana\">Viewing Wazuh Dashboards on Kibana<\/h4>\n\n\n\n<p>Once you import the dashboards, navigate to <strong>Analytics &gt; Dashboards<\/strong>.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;uploadedSrc&quot;:&quot;https:\\\/\\\/kifarunix.com\\\/wp-content\\\/uploads\\\/2024\\\/03\\\/wazuh-dashboards.png&quot;,&quot;figureClassNames&quot;:&quot;wp-block-image size-full&quot;,&quot;figureStyles&quot;:null,&quot;imgClassNames&quot;:&quot;wp-image-20310&quot;,&quot;imgStyles&quot;:null,&quot;targetWidth&quot;:1483,&quot;targetHeight&quot;:657,&quot;scaleAttr&quot;:false,&quot;ariaLabel&quot;:&quot;Enlarge image&quot;,&quot;alt&quot;:&quot;&quot;}\" data-wp-interactive=\"core\/image\" class=\"wp-block-image size-full wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"1483\" height=\"657\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/wazuh-dashboards.png?v=1709370470\" alt=\"\" class=\"wp-image-20310\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/wazuh-dashboards.png?v=1709370470 1483w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/wazuh-dashboards-768x340.png?v=1709370470 768w\" sizes=\"(max-width: 1483px) 100vw, 1483px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\taria-label=\"Enlarge image\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on-async--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"context.imageButtonRight\"\n\t\t\tdata-wp-style--top=\"context.imageButtonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-wazuh-agents-and-visualize-the-events-data\">Install Wazuh Agents and Visualize the Events Data<\/h4>\n\n\n\n<p>You can now follow the guide below to learn how to install Wazuh agents.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/easy-way-to-install-wazuh-agents-on-ubuntu-debian\" target=\"_blank\" rel=\"noreferrer noopener\">Easy Way to Install Wazuh Agents on Ubuntu\/Debian<\/a><\/p>\n\n\n\n<p>Once the agents are intalled and enrolled into the manager, you should be able to utilize the imported dashboards to visualize the events from those systems.<\/p>\n\n\n\n<p>Sample security events.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1910\" height=\"885\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/sample-wazuh-security-events-dashboard.png?v=1709378006\" alt=\"\" class=\"wp-image-20311\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/sample-wazuh-security-events-dashboard.png?v=1709378006 1910w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/sample-wazuh-security-events-dashboard-768x356.png?v=1709378006 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/03\/sample-wazuh-security-events-dashboard-1536x712.png?v=1709378006 1536w\" sizes=\"(max-width: 1910px) 100vw, 1910px\" \/><\/figure>\n\n\n\n<p>And that is it! One this you will lose with this architecture is the previous capability to manage agents from Kibana\/Wazuh app dashboard.<\/p>\n\n\n\n<p>Remember this?<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1893\" height=\"784\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/wazuh-app-kibana-modules.png\" alt=\"\" class=\"wp-image-8814\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/wazuh-app-kibana-modules.png?v=1620709538 1893w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/wazuh-app-kibana-modules-768x318.png?v=1620709538 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/05\/wazuh-app-kibana-modules-1536x636.png?v=1620709538 1536w\" sizes=\"(max-width: 1893px) 100vw, 1893px\" \/><\/figure>\n\n\n\n<p>Either way, you can utilize Wazuh Indexer and Wazuh dashboards for that. See the guide below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-wazuh-siem-server-on-ubuntu-24-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Wazuh SIEM Server on Ubuntu 24.04<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"reference\">Reference<\/h3>\n\n\n\n<p><a aria-label=\"Step-by-step installation (opens in a new tab)\" href=\"https:\/\/documentation.wazuh.com\/current\/installation-guide\/open-distro\/all-in-one-deployment\/all_in_one.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\" class=\"rank-math-link\">Step-by-step installation<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h3>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/configure-elk-stack-alerting-with-elastalert\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Configure ELK Stack Alerting with ElastAlert<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/monitor-linux-system-metrics-with-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Monitor Linux System Metrics with ELK Stack<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/visualize-wordpress-user-activity-logs-on-elk-stack\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Visualize WordPress User Activity Logs on ELK Stack<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to integrate Wazuh manager with ELK stack as a unified Security Information and Event management tool. Wazuh consists<\/p>\n","protected":false},"author":3,"featured_media":8817,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,910,121,1823],"tags":[912,1852,3509,3507,3505,3506,3508,1828],"class_list":["post-8802","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-elastic-stack","category-howtos","category-wazuh","tag-elastic-stack","tag-elk-stack","tag-elk-stack-and-wazuh-manager","tag-install-elk-with-wazuh","tag-integrate-wazuh-manager-with-elk-stack","tag-wazuh-app-kibana","tag-wazuh-manager-on-elk","tag-wazuh-server","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8802"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=8802"}],"version-history":[{"count":15,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8802\/revisions"}],"predecessor-version":[{"id":21822,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8802\/revisions\/21822"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8817"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=8802"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=8802"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=8802"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}