I’m doing my private project studying to build SIEM stacks using open-source tools and I decided to use Graylog as part of log aggregation. However, I also use Wazuh Manager to be an EDR that collects logs from the endpoint and would be forwarding those logs using fluent-bit to Graylog. But, I got an error on graylog as shows below:
Elasticsearch exception [type=illegal_argument_exception, reason=key [types] is not supported in the metadata section].
Below is my configuration on fluent-bit,
[SERVICE] flush 5 daemon Off log_level info parsers_file parsers.conf plugins_file plugins.conf HTTP_Server Off HTTP_Listen 0.0.0.0 HTTP_PORT 2020 storage.metrics on storage.path /var/log/flb-storage/ storage.sync normal storage.checksum off storage.backlog.mem_limit 5M Log_File /var/log/td-agent-bit.log [INPUT] name tail path /var/ossec/logs/alerts/alerts.json tag wazuh parser json Buffer_Max_Size 5MB Buffer_Chunk_Size 400k storage.type filesystem Mem_Buf_Limit 512MB [OUTPUT] Name tcp Host *graylog ip address* Port *graylog port* net.keepalive off Match wazuh Format json_lines json_date_key true