Tag: Elasticsearch

  • Test Logstash Pipelines/Filters Before Implementation

    Test Logstash Pipelines/Filters Before Implementation

    Use case: Detect if the parsed logs contain single or multiple warning messages then add a field stating both cases. Logstash configuration & testing: Suppose that we have the following log files representing both cases described above: Reading the logs we can see that the field [waf][warnMsg] separates the warning messages using a semi-colon ; in the case of…

  • Get notified when Elasticsearch/Wazuh Indexer/ OpenSearch stops indexing data

    Get notified when Elasticsearch/Wazuh Indexer/ OpenSearch stops indexing data

    Prerequisites: Use case: Monitor Wazuh indexer/Elasticsearch/Opensearch Indexing and get a discord notification if no events indexed for the last 5 minutes. Monitoring Script: Wazuh Manager Configuration: Place the script in the Wazuh manager under the path /var/ossec/integrations assigning the following permissions and ownership: Add the configuration to run the script and the rules to trigger the alerts…

  • Enrich Wazuh indices using Elasticsearch ingest Set processor

    Enrich Wazuh indices using Elasticsearch ingest Set processor

    Elasticsearch offers various processors configurable within the ingest pipelinesallowing you to perform transformations over the data. In this write-up, I will use the Set processor https://www.elastic.co/guide/en/elasticsearch/reference/current/set-processor.html to enrich the Wazuh alerts indices. Use case: Add a flag/field to distinguish between servers in different data centers, knowingthat each data center has servers with unique Operating System.…