Dear Community,
I’m doing my private project studying to build SIEM stacks using open-source tools and I decided to use Graylog as part of log aggregation. However, I also use Wazuh Manager to be an EDR that collects logs from the endpoint and would be forwarding those logs using fluent-bit to Graylog. But, I got an error on graylog as shows below:
Elasticsearch exception [type=illegal_argument_exception, reason=key [types] is not supported in the metadata section].
Below is my configuration on fluent-bit,
[SERVICE]
flush 5
daemon Off
log_level info
parsers_file parsers.conf
plugins_file plugins.conf
HTTP_Server Off
HTTP_Listen 0.0.0.0
HTTP_PORT 2020
storage.metrics on
storage.path /var/log/flb-storage/
storage.sync normal
storage.checksum off
storage.backlog.mem_limit 5M
Log_File /var/log/td-agent-bit.log
[INPUT]
name tail
path /var/ossec/logs/alerts/alerts.json
tag wazuh
parser json
Buffer_Max_Size 5MB
Buffer_Chunk_Size 400k
storage.type filesystem
Mem_Buf_Limit 512MB
[OUTPUT]
Name tcp
Host *graylog ip address*
Port *graylog port*
net.keepalive off
Match wazuh
Format json_lines
json_date_key true