filebeatopensearchwazuh

Can we send data to wazuh-indexer using filebeat and without agent in Wazuh?

I am trying to send data from filebeat to wazuh-indexer directly but I get connection errors between filebeat and elasticsearch. Following is my filebeat configuration:

filebeat.inputs:
- input_type: log
  paths:
  - /home/siem/first4.log
  enable: true
output.elasticsearch:
  hosts: ["192.168.0.123:9200"]
  protocol: https
  index: "test"
  username: admin
  password: admin
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/filebeat-1.pem"
  ssl.key: "/etc/filebeat/certs/filebeat-1-key.pem"
setup.template.json.enabled: false
setup.ilm.overwrite: true
setup.ilm.enabled: false
setup.template.name: false
setup.template.pattern: false

#setup.template.json.path: '/etc/filebeat/wazuh-template.json'
#setup.template.json.name: 'wazuh'

#filebeat.modules:
#  - module: wazuh
#    alerts:
#      enabled: true
#    archives:
#      enabled: false

Following is the error:

2023-01-30T09:29:18.634Z        ERROR   [publisher_pipeline_output]     pipeline/output.go:154  Failed to connect to backoff(elasticsearch(https://192.168.0.123:9200)): Get "https://192.168.0.123:9200": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2023-01-30T09:29:18.635Z        INFO    [publisher_pipeline_output]     pipeline/output.go:145  Attempting to reconnect to backoff(elasticsearch(https://192.168.0.123:9200)) with 1 reconnect attempt(s)
2023-01-30T09:29:18.635Z        INFO    [publisher]     pipeline/retry.go:219   retryer: send unwait signal to consumer
2023-01-30T09:29:18.635Z        INFO    [publisher]     pipeline/retry.go:223     done
2023-01-30T09:29:46.177Z        INFO    [monitoring]    log/log.go:145  Non-zero metrics in the last 30s

Can anyone tell what mistake am I doing?

Solution

  • Yes, you could send logs directly using Filebeat without a Wazuh agent but that way you won't benefit from the Wazuh analysis engine.

    With your current configuration, the logs will be ingested under filebeat-<version>-<date>. Make sure to create an index pattern for these events.

    As your logs indicate, there's a connectivity issue between Filebeat and the Wazuh indexer. To diagnose the problem:

    Try running the following call to make sure you can reach the Wazuh indexer:

    curl -k -u admin:admin https://192.168.0.123:9200

    Run a Filebeat test output:

    filebeat test output