Capturing all coming logs and visualizing them can be a requirement and
enabling that option in an on-prem environment can be achieved as described
in the official guide here https://documentation.wazuh.com/4.4/user-manual/manager/wazuh-archives.html; however, In K8s, restarting the
Filebeat service causes restarting the Wazuh manager pod which will wipe
up the changes and revert the initial configuration (archives disabled).
This article describes how to enable archives in Filebeat and visualize your
archives logs:
Configuration:
Assuming that you have deployed following the official guide https://documentation.wazuh.com/4.4/deployment-options/deploying-
with-kubernetes/kubernetes-deployment.html and you have enabled the
logall_json option (https://documentation.wazuh.com/current/user-
manual/reference/ossec-conf/global.html#logall-json) also it is worth mentioning that the version while writing the post is v4.4.0 as the folder/files path may differ.
- Add the custom under
filebeat.ymlthat should have the archives enabled/yourpath/wazuh-kubernetes/wazuh/wazuh_managers/wazuh_conf/
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: true- Add the file name within the file
/yourpath/wazuh-kubernetes/wazuh/kustomization.ymlinConfigMapGeneratorunderwazuh-conf:
configMapGenerator:
- name: indexer-conf
files:
- indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml
- indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml
- name: wazuh-conf
files:
- wazuh_managers/wazuh_conf/master.conf
- wazuh_managers/wazuh_conf/worker.conf
- wazuh_managers/wazuh_conf/filebeat.yml- Add a new mount within the
wazuh-master-sts.ymlandwazuh-worker-sts.ymllocated in/yourpath/wazuh-kubernetes/wazuh/wazuh_managers:
volumeMounts:
- name: config
mountPath: /etc/filebeat/filebeat.yml
subPath: filebeat.yml- Apply the changes
kubectl apply -k envs/eks/
- Create the index pattern as described here https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html#wazuh-dashboard by clicking the upper-left menu icon and navigating to
Stack management > Index patterns > Create index pattern. Usewazuh-archives-*as the index pattern name, and set timestamp in the Time field drop-down list
I hope you find it helpful 😀
32 responses to “Wazuh in K8S (Kubernetes): Enable archives index & get all events”
ivermectin 12 mg pills – buy ivermectin stromectol tegretol 200mg pills
cheap amoxicillin generic – valsartan 80mg pill ipratropium 100 mcg without prescription
order accutane 20mg pills – accutane order purchase zyvox sale
buy azithromycin 500mg – tinidazole 300mg canada buy bystolic 20mg pill
buy prednisolone 5mg – azipro usa progesterone uk
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
lasix 100mg cost – nootropil 800mg usa how to get betnovate without a prescription
neurontin 800mg tablet – anafranil 25mg without prescription purchase itraconazole online
buy augmentin online – nizoral 200mg uk order cymbalta without prescription
purchase doxycycline sale – order albuterol inhalator sale glucotrol 5mg drug
amoxiclav without prescription – duloxetine 40mg cheap cymbalta 20mg oral
order semaglutide 14 mg without prescription – buy cyproheptadine pills oral cyproheptadine 4 mg
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?
generic tizanidine – tizanidine 2mg pills buy generic hydrochlorothiazide
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me. https://accounts.binance.com/ES_la/register-person?ref=T7KCZASX
Your article helped me a lot, is there any more related content? Thanks! https://accounts.binance.info/en-IN/register-person?ref=UM6SMJM3
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
brand cialis 10mg – oral tadalafil 10mg sildenafil generic
sildenafil professional – order cialis online tadalafil 20mg uk
order atorvastatin 80mg for sale – norvasc where to buy order lisinopril generic
cenforce over the counter – cheap chloroquine glycomet uk
lipitor 80mg canada – buy norvasc pill how to buy zestril
lipitor 80mg price – lisinopril online order buy lisinopril 2.5mg generic
omeprazole generic – buy generic atenolol 50mg buy generic tenormin 50mg
Your article helped me a lot, is there any more related content? Thanks!
Your article helped me a lot, is there any more related content? Thanks! https://www.binance.com/vi/register?ref=WTOZ531Y
… [Trackback]
[…] There you will find 25206 more Infos: opensourcesecurityblogs.com/wazuh-in-k8s-kubernetes-enablearchives-index-get-all-events/ […]
461277 411425I like this web website extremely a lot, Its a truly nice billet to read and obtain info . 600672
medrol 16 mg without prescription – buy aristocort triamcinolone 4mg generic
buy cheap generic clarinex – dapoxetine for sale online buy priligy 60mg online cheap
buy generic cytotec online – purchase orlistat without prescription order diltiazem sale