Fluent-Bit log forwarding to Graylog

Dear Community,
I’m doing my private project studying to build SIEM stacks using open-source tools and I decided to use Graylog as part of log aggregation. However, I also use Wazuh Manager to be an EDR that collects logs from the endpoint and would be forwarding those logs using fluent-bit to Graylog. But, I got an error on graylog as shows below:

Elasticsearch exception [type=illegal_argument_exception, reason=key [types] is not supported in the metadata section].

Below is my configuration on fluent-bit,

[SERVICE]
    flush        5
    daemon       Off
    log_level    info
    parsers_file parsers.conf
    plugins_file plugins.conf
    HTTP_Server  Off
    HTTP_Listen  0.0.0.0
    HTTP_PORT    2020
    storage.metrics on
    storage.path /var/log/flb-storage/
    storage.sync normal
    storage.checksum off
    storage.backlog.mem_limit 5M
    Log_File /var/log/td-agent-bit.log
[INPUT]
    name  tail
    path  /var/ossec/logs/alerts/alerts.json
    tag wazuh
    parser  json
    Buffer_Max_Size 5MB
    Buffer_Chunk_Size 400k
    storage.type      filesystem
    Mem_Buf_Limit     512MB
[OUTPUT]
    Name  tcp
    Host  *graylog ip address*
    Port  *graylog port*
    net.keepalive off
    Match wazuh
    Format  json_lines
    json_date_key true

Also this is my input configuration on Graylog WUI

Hey @0x65dvrc

This post might help

2 Likes

Thanks @gsmith
Let me take a look at it.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.