Hey @gsmith! hope all is well. Yeah life has been busy to say the least haha
With respect to the issue at hand, here is what I found digging around:
Always great content, however I’m not sure if you’re aware Taylor but if you are trying to use Graylog ingestion and indices and expect to use the Wazuh dashboard for alerts it doesn’t work. It breaks absolutely everything. Graylog secretly changes all the key pair fields to use an underscore whereas the Wazuh uses a dot in field names…
– Basically - Garlog does not allow “.” characters in field names since version 2.0 of Elastic…Support has been restored since version 5.0. - However, Wazu is using forked Opensearch and they haven’t changed this yet…
For compatibility, Graylog replaces “.” with “_” silently - it doesn’t matter what you put in your extractor… So Wazuh (OpenSearch 2.4.1 which I have… confirmed) expects their fields to have a “.” in them… So if you ingest your agent logs to Gralog - via Fluent-bit and connect it back to Wazuh Indexer (Opensearch 2.4.1 for Wazuh 4.4.0) the fields all have _ as the key separators in each field… So rule.id becomes rule_id and manager.name becomes manager_name - Wazuh dashboard becomes useless and doesn’t display anything… This may not be a problem if you don’t plan to use the Wazuh DashBoard for alerts and events like if you are using Grafana…
Citation: https://www.youtube.com/watch?v=ZO2KSLmB6vY&lc=Ugz_myahQHIEKBldA-B4AaABAg