I believe I have successfully integrated Wazuh ↔ Graylog however, it seems that since the integration, I no longer get visualization within the Wazuh Dashboard. I suspect it may be because I am sending the data to graylog via fluent-bit but I don’t know enough to know this for sure.
Has anyone else integrated Wazuh and Graylog and then lost Wazuh visualization? Has anyone lost Wazuh visualization without Graylog? Has anyone integrated the two and everything is fine and dandy?
Thank you!
Credit: I followed this article to start the integration: Wazuh 4.4 / Graylog, and this: The original article, and then hours of Google-foo to resolve the cert issues.
Same problem here but I wasn’t following the soc-fortress guide. After modifying Wazuh to issue certificates with SAN, I was able to get past the same certificate issues you mention. But I get the " * Elasticsearch exception [type=illegal_argument_exception, reason=key [types] is not supported in the metadata section]." in Greylog. If I change the option in Wazuh as recommended by SOCfortress then I lose all visualizations within Wazuh.
Between here and Opensearch forum I seen a few people trying Wazuh/Graylog. A lot issues with security configurations, etc… From what I understand about Wazuh acts like Elasticsearch? I havent tried it yet, but Im will in few to see if I can get it to work with Graylog. Right now Im working on Opentelemetry, Data prepper, Fluent-bit, etc… for security analysis. You maybe right about the incompatible, Graylog pretty much controls the flow.
Hey @gsmith! hope all is well. Yeah life has been busy to say the least haha
With respect to the issue at hand, here is what I found digging around:
Always great content, however I’m not sure if you’re aware Taylor but if you are trying to use Graylog ingestion and indices and expect to use the Wazuh dashboard for alerts it doesn’t work. It breaks absolutely everything. Graylog secretly changes all the key pair fields to use an underscore whereas the Wazuh uses a dot in field names… – Basically - Garlog does not allow “.” characters in field names since version 2.0 of Elastic…Support has been restored since version 5.0. - However, Wazu is using forked Opensearch and they haven’t changed this yet…
For compatibility, Graylog replaces “.” with “_” silently - it doesn’t matter what you put in your extractor… So Wazuh (OpenSearch 2.4.1 which I have… confirmed) expects their fields to have a “.” in them… So if you ingest your agent logs to Gralog - via Fluent-bit and connect it back to Wazuh Indexer (Opensearch 2.4.1 for Wazuh 4.4.0) the fields all have _ as the key separators in each field… So rule.id becomes rule_id and manager.name becomes manager_name - Wazuh dashboard becomes useless and doesn’t display anything… This may not be a problem if you don’t plan to use the Wazuh DashBoard for alerts and events like if you are using Grafana…
I am hopeful that Graylog can implement some kind of feature flag for compatibility with Wazuh-indexer. It makes for an awesome stack that way. Has anyone opened up a github issue regarding this?
– Basically - Garlog does not allow “.” characters in field names since version 2.0 of Elastic…Support has been restored since version 5.0. - However, Wazu is using forked Opensearch and they haven’t changed this yet…