Wazuh in K8S (Kubernetes): Enable archives index & get all events

Capturing all coming logs and visualizing them can be a requirement and
enabling that option in an on-prem environment can be achieved as described
in the official guide here https://documentation.wazuh.com/4.4/user-manual/manager/wazuh-archives.html; however, In K8s, restarting the
Filebeat service causes restarting the Wazuh manager pod which will wipe
up the changes and revert the initial configuration (archives disabled).

This article describes how to enable archives in Filebeat and visualize your
archives logs:

Configuration:

Assuming that you have deployed following the official guide https://documentation.wazuh.com/4.4/deployment-options/deploying-
with-kubernetes/kubernetes-deployment.html and you have enabled the
logall_json option (https://documentation.wazuh.com/current/user-
manual/reference/ossec-conf/global.html#logall-json) also it is worth mentioning that the version while writing the post is v4.4.0 as the folder/files path may differ.

Add the custom under filebeat.yml that should have the archives enabled /yourpath/wazuh-kubernetes/wazuh/wazuh_managers/wazuh_conf/

# Wazuh - Filebeat configuration file
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: true

Add the file name within the file /yourpath/wazuh-kubernetes/wazuh/kustomization.yml in ConfigMapGenerator under wazuh-conf:

configMapGenerator:
  - name: indexer-conf
    files:
      - indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml
      - indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml
  - name: wazuh-conf
    files:
      - wazuh_managers/wazuh_conf/master.conf
      - wazuh_managers/wazuh_conf/worker.conf
      - wazuh_managers/wazuh_conf/filebeat.yml

Add a new mount within the wazuh-master-sts.yml and wazuh-worker-sts.yml located in /yourpath/wazuh-kubernetes/wazuh/wazuh_managers:

volumeMounts:
   - name: config
     mountPath: /etc/filebeat/filebeat.yml
     subPath: filebeat.yml

Apply the changes kubectl apply -k envs/eks/

Create the index pattern as described here https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html#wazuh-dashboard by clicking the upper-left menu icon and navigating to Stack management > Index patterns > Create index pattern . Use wazuh-archives-* as the index pattern name, and set timestamp in the Time field drop-down list

I hope you find it helpful 😀

Open Source Security Blogs

Wazuh in K8S (Kubernetes): Enable archives index & get all events

Configuration:

Leave a Reply Cancel reply