Capturing all coming logs and visualizing them can be a requirement and
enabling that option in an on-prem environment can be achieved as described
in the official guide here https://documentation.wazuh.com/4.4/user-manual/manager/wazuh-archives.html; however, In K8s, restarting the
Filebeat service causes restarting the Wazuh manager pod which will wipe
up the changes and revert the initial configuration (archives disabled).
This article describes how to enable archives in Filebeat and visualize your
archives logs:
Configuration:
Assuming that you have deployed following the official guide https://documentation.wazuh.com/4.4/deployment-options/deploying-
with-kubernetes/kubernetes-deployment.html and you have enabled the
logall_json option (https://documentation.wazuh.com/current/user-
manual/reference/ossec-conf/global.html#logall-json) also it is worth mentioning that the version while writing the post is v4.4.0 as the folder/files path may differ.
- Add the custom under
filebeat.ymlthat should have the archives enabled/yourpath/wazuh-kubernetes/wazuh/wazuh_managers/wazuh_conf/
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: true- Add the file name within the file
/yourpath/wazuh-kubernetes/wazuh/kustomization.ymlinConfigMapGeneratorunderwazuh-conf:
configMapGenerator:
- name: indexer-conf
files:
- indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml
- indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml
- name: wazuh-conf
files:
- wazuh_managers/wazuh_conf/master.conf
- wazuh_managers/wazuh_conf/worker.conf
- wazuh_managers/wazuh_conf/filebeat.yml- Add a new mount within the
wazuh-master-sts.ymlandwazuh-worker-sts.ymllocated in/yourpath/wazuh-kubernetes/wazuh/wazuh_managers:
volumeMounts:
- name: config
mountPath: /etc/filebeat/filebeat.yml
subPath: filebeat.yml- Apply the changes
kubectl apply -k envs/eks/
- Create the index pattern as described here https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html#wazuh-dashboard by clicking the upper-left menu icon and navigating to
Stack management > Index patterns > Create index pattern. Usewazuh-archives-*as the index pattern name, and set timestamp in the Time field drop-down list
I hope you find it helpful 😀
12 responses to “Wazuh in K8S (Kubernetes): Enable archives index & get all events”
ivermectin 12 mg pills – buy ivermectin stromectol tegretol 200mg pills
cheap amoxicillin generic – valsartan 80mg pill ipratropium 100 mcg without prescription
order accutane 20mg pills – accutane order purchase zyvox sale
buy azithromycin 500mg – tinidazole 300mg canada buy bystolic 20mg pill
buy prednisolone 5mg – azipro usa progesterone uk
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
lasix 100mg cost – nootropil 800mg usa how to get betnovate without a prescription
neurontin 800mg tablet – anafranil 25mg without prescription purchase itraconazole online
buy augmentin online – nizoral 200mg uk order cymbalta without prescription
purchase doxycycline sale – order albuterol inhalator sale glucotrol 5mg drug
amoxiclav without prescription – duloxetine 40mg cheap cymbalta 20mg oral
order semaglutide 14 mg without prescription – buy cyproheptadine pills oral cyproheptadine 4 mg