Graylog integration with Wazuh-Indexer: No More Visualization in Wazu

Wazuh 4.4
Graylog 5.1


I believe I have successfully integrated Wazuh ↔ Graylog however, it seems that since the integration, I no longer get visualization within the Wazuh Dashboard. I suspect it may be because I am sending the data to graylog via fluent-bit but I don’t know enough to know this for sure.

Has anyone else integrated Wazuh and Graylog and then lost Wazuh visualization? Has anyone lost Wazuh visualization without Graylog? Has anyone integrated the two and everything is fine and dandy?

Thank you!

Credit: I followed this article to start the integration: Wazuh 4.4 / Graylog, and this: The original article, and then hours of Google-foo to resolve the cert issues.

Same problem here but I wasn’t following the soc-fortress guide. After modifying Wazuh to issue certificates with SAN, I was able to get past the same certificate issues you mention. But I get the " * Elasticsearch exception [type=illegal_argument_exception, reason=key [types] is not supported in the metadata section]." in Greylog. If I change the option in Wazuh as recommended by SOCfortress then I lose all visualizations within Wazuh.

If haven’t found a solution yet

Thank you for this. At the very least is seems we have the “cause”

A little further digging seems to imply there is no solution; the setting makes Wazuh/Graylog fundamentally incompatible:

Hey @accidentaladmin

First, How ya doing man :wave:

Between here and Opensearch forum I seen a few people trying Wazuh/Graylog. A lot issues with security configurations, etc… From what I understand about Wazuh acts like Elasticsearch? I havent tried it yet, but Im will in few to see if I can get it to work with Graylog. Right now Im working on Opentelemetry, Data prepper, Fluent-bit, etc… for security analysis. You maybe right about the incompatible, Graylog pretty much controls the flow.

Hey @gsmith! hope all is well. Yeah life has been busy to say the least haha

With respect to the issue at hand, here is what I found digging around:

Always great content, however I’m not sure if you’re aware Taylor but if you are trying to use Graylog ingestion and indices and expect to use the Wazuh dashboard for alerts it doesn’t work. It breaks absolutely everything. Graylog secretly changes all the key pair fields to use an underscore whereas the Wazuh uses a dot in field names… :cry: – Basically - Garlog does not allow “.” characters in field names since version 2.0 of Elastic…Support has been restored since version 5.0. - However, Wazu is using forked Opensearch and they haven’t changed this yet…
For compatibility, Graylog replaces “.” with “_” silently - it doesn’t matter what you put in your extractor… So Wazuh (OpenSearch 2.4.1 which I have… confirmed) expects their fields to have a “.” in them… So if you ingest your agent logs to Gralog - via Fluent-bit and connect it back to Wazuh Indexer (Opensearch 2.4.1 for Wazuh 4.4.0) the fields all have _ as the key separators in each field… So becomes rule_id and becomes manager_name - Wazuh dashboard becomes useless and doesn’t display anything… This may not be a problem if you don’t plan to use the Wazuh DashBoard for alerts and events like if you are using Grafana…

Citation: Full Wazuh Install - The SOCFortress Way - YouTube

1 Like

Oh figured somethign was up. Thanks for the info :+1:

I am hopeful that Graylog can implement some kind of feature flag for compatibility with Wazuh-indexer. It makes for an awesome stack that way. Has anyone opened up a github issue regarding this?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.