Graylog <-Fluent-bit<-Wazuh:

csilvag · April 26, 2024, 8:51pm

Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
I’m integrating Wazuh → Fluent-bit → Graylog, everything is configured, In graylog configure this input:

bind_address: 0.0.0.0
charset_name: UTF-8
max_message_size: 2097152
number_worker_threads: 4
override_source: <empty>
port: 5555
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password:********
use_null_delimiter: false

i see data getting in but i get this message

While retrieving data for this widget, the following error(s) occurred:
Elasticsearch exception [type=illegal_argument_exception, reason=key [types] is not supported in the metadata section].

when i look the /var/log/graylog-server/server.log it shows:

2024-04-26T20:32:12.759Z WARN  [Messages] Caught exception during bulk indexing: ElasticsearchException{message=ElasticsearchException[An error occurred: ]; nested: IOException[Unable to parse response body for Response{requestLine=POST /_bulk?timeout=1m HTTP/1.1, host=htt
ps://wazuh-indexer-01.home.lab:9200, response=HTTP/1.1 200 OK}]; nested: NullPointerException;, errorDetails=[]}, retrying (attempt #244).
2024-04-26T20:32:38.426Z WARN  [Messages] Caught exception during bulk indexing: ElasticsearchException{message=ElasticsearchException[An error occurred: ]; nested: IOException[Unable to parse response body for Response{requestLine=POST /_bulk?timeout=1m HTTP/1.1, host=htt
ps://wazuh-indexer-03.home.lab:9200, response=HTTP/1.1 200 OK}]; nested: NullPointerException;, errorDetails=[]}, retrying (attempt #235).
2024-04-26T20:32:42.787Z WARN  [Messages] Caught exception during bulk indexing: ElasticsearchException{message=ElasticsearchException[An error occurred: ]; nested: IOException[Unable to parse response body for Response{requestLine=POST /_bulk?timeout=1m HTTP/1.1, host=htt
ps://wazuh-indexer-02.home.lab:9200, response=HTTP/1.1 200 OK}]; nested: NullPointerException;, errorDetails=[]}, retrying (attempt #245).

2. Describe your environment:

OS Information:

root@graylog:/etc/graylog/server# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.4 LTS
Release:	22.04
Codename:	jammy

Package Version:

graylog-5.1-repository                 1-2      
graylog-server                         5.1.13-1 
mongodb-database-tools                 100.9.4  
mongodb-mongosh                        2.2.5    
mongodb-org                            6.0.15   
mongodb-org-database                   6.0.15   
mongodb-org-database-tools-extra       6.0.15   
mongodb-org-mongos                     6.0.15   
mongodb-org-server                     6.0.15   
mongodb-org-shell                      6.0.15   
mongodb-org-tools                      6.0.15

Service logs, configurations, and environment variables:
server.conf:

is_leader = true
node_id_file = /etc/graylog/server/node-id
password_secret = password_secret
root_username = admin
root_password_sha2 = root_password
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 0.0.0.0:9000
stream_aware_field_types=false
elasticsearch_hosts = https://graylog:passwd!@wazuh-indexer-01.home.lab:9200,https://graylog:passwd!@wazuh-indexer-02.home.lab:9200,https://graylog:passwd!@wazuh-indexer-03.home.lab:9200
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000

3. What steps have you already taken to try and solve the problem?

4. How can the community help?

point out where is the error, I have no clue where could be the problem.

gsmith · April 26, 2024, 9:43pm

Hey @csilvag

I believe that is mapping issue.
What are your configuration for Sending logs and what Input are you using?
I know by default Wazuh uses port 5044.

When Installing Wazuh Manager there are components for FileBeat. Have you tried that?

csilvag · April 26, 2024, 11:18pm

not sure what your asking.
this is my fluent-bit conf:

[INPUT]
    name tail
    path  /var/ossec/logs/alerts/alerts.json
    tag  wazuh
    parser json
    Buffer_Max_Size 5MB
    Buffer_Chunk_Size 400k
    storage.type      filesystem
    Mem_Buf_Limit     512MB
    # Read interval (sec) Default: 1
    # interval_sec 1
[OUTPUT]
    Name  tcp
    Host  graylog.home.lab
    Port  5555
    net.keepalive off
    Match wazuh
    Format  json_lines
    json_date_key true

and im getting the logs in the graylog:

csilva@graylog:/var/lib/graylog-server/journal/messagejournal-0$ tail -f 00000000000000000000.log 
1??V?$?1??1
r?1?$?V?!Sb?**
raw#{"source":{"charset_name":"UTF-8"}}2B
$c1855dd7-9751-4755-9c52-5faa586f994c662bef1e49962b1e999de4b9:

??(??B?{"true":1714156427.769206,"timestamp":"2024-04-26T18:33:47.638+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":9,"mail":false,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1714156427.670500","full_log":"Apr 26 18:33:45 wazuh-server su: pam_unix(su:session): session closed for user root","predecoder":{"program_name":"su","timestamp":"Apr 26 18:33:45","hostname":"wazuh-server"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"/var/log/auth.log"}H??1=?r1@??V?$?1??@1r?1?$?V?!Tb?**
raw#{"source":{"charset_name":"UTF-8"}}2B
$c1855dd7-9751-4755-9c52-5faa586f994c662bef1e49962b1e999de4b9:

but in graylog web ui, cannot see it properly

best regards
Cristian

gsmith · April 27, 2024, 12:45am

Hey

That is Index mapping issue.

what Input are you using?

Topic		Replies	Views
Fluent-Bit log forwarding to Graylog Development	4	1647	July 6, 2023
Logs not receiving on Graylog via Wazuh Manager (fluent-bit) Graylog Central (peer support)	7	782	December 27, 2023
While retrieving data for this widget, the following error(s) occurred: The Water Cooler (AMA)	1	296	November 30, 2023
While retrieving data for this widget, the following error(s) occurred: Elasticsearch exception Graylog Central (peer support)	2	1381	February 13, 2023
Wazuh-Indexer Opensearch to graylog - Host not verified Graylog Central (peer support)	10	1714	January 26, 2023

Graylog <-Fluent-bit<-Wazuh:

Related Topics