diff --git a/wazuh/config/filebeat.yml b/wazuh/config/filebeat.yml index 628e4479..46600662 100644 --- a/wazuh/config/filebeat.yml +++ b/wazuh/config/filebeat.yml @@ -1,53 +1,15 @@ -# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) -filebeat.inputs: - - type: log - paths: - - '/var/ossec/logs/alerts/alerts.json' +# Wazuh - Filebeat configuration file +filebeat.modules: + - module: wazuh + alerts: + enabled: true + archives: + enabled: false setup.template.json.enabled: true -setup.template.json.path: "/etc/filebeat/wazuh-template.json" -setup.template.json.name: "wazuh" +setup.template.json.path: '/etc/filebeat/wazuh-template.json' +setup.template.json.name: 'wazuh' setup.template.overwrite: true +setup.ilm.enabled: false -processors: - - decode_json_fields: - fields: ['message'] - process_array: true - max_depth: 200 - target: '' - overwrite_keys: true - - drop_fields: - fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host'] - - rename: - fields: - - from: "data.aws.sourceIPAddress" - to: "@src_ip" - ignore_missing: true - fail_on_error: false - when: - regexp: - data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - - rename: - fields: - - from: "data.srcip" - to: "@src_ip" - ignore_missing: true - fail_on_error: false - when: - regexp: - data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - - rename: - fields: - - from: "data.win.eventdata.ipAddress" - to: "@src_ip" - ignore_missing: true - fail_on_error: false - when: - regexp: - data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - -output.elasticsearch: - hosts: ['http://elasticsearch:9200'] - #pipeline: geoip - indices: - - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}' +output.elasticsearch.hosts: ['http://elasticsearch:9200'] \ No newline at end of file