Logs not receiving on Graylog via Wazuh Manager (fluent-bit)

parag.mk · December 4, 2023, 5:52am

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

Hello Community,

I’m doing my Internal SOC project to build SIEM stacks using open-source tools and I decided to use Graylog as part of log aggregation. However, I also use Wazuh Manager to collects logs from the endpoint and would be forwarding those logs using fluent-bit to Graylog. But, I got an error on graylog as shows below:

While retrieving data for this widget, the following error(s) occurred:

Elasticsearch exception [type=illegal_argument_exception, reason=key [types] is not supported in the metadata section].

2. Describe your environment:

OS Information: Debian 11
Package Version: 5.1
Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

4. How can the community help?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

krisbogaerts · December 11, 2023, 8:23pm

Can you try removing “compatibility.override_main_response_version: true” from “/etc/wazuh-indexer/opensearch.yml” and restart the wazuh indexer and graylog?

That fixed it for me.

parag.mk · December 12, 2023, 10:29am

Hello Kris,
Thanks a lot!, its working.

krisbogaerts · December 13, 2023, 8:26am

Hi,

How is it going in general for the Wazuh and Graylog setup?
I am also running into other problems.

For example: Wazuh dashboard are created based on field names with a dot separator and Graylog does not supports this currently. Graylog replaces the dot from the json extractor before it forwards in into the Opensearch index.

github.com/Graylog2/graylog2-server

Add option to not replace "." with "_" in field names

Graylog2:master ← teapot9:replace-dots

opened 01:08PM - 13 Apr 23 UTC

teapot9

+69 -3

## Motivation and Context Elasticsearch does not allow "." characters in …field names since version 2.0. Support has been restored since version 5.0. For compatibility, graylog replaces "." with "_". However, when Elasticsearch >= 5.0 is used, this is unnecessary. For instance, Wazuh Indexer from the Wazuh project is forked from Opensearch 1.3. The character replacement causes issues with Wazuh, as the Dashboard expects dots as separator in the field name. Closes: https://github.com/Graylog2/graylog2-server/issues/4583 Closes: https://github.com/Graylog2/graylog2-server/issues/6588 Closes: https://github.com/Graylog2/graylog2-server/issues/13043 Closes: https://github.com/Graylog2/graylog2-server/issues/14901 Bug: https://github.com/elastic/elasticsearch/issues/19443 ## Description This adds the option `replace_dots_in_field_names` to revert this behavior and allow the use of ".". The replacement is enabled by default for compatibility with existing graylog configurations. The extractor configuration in the web interface has been modified to show a warning when the user inputs a "." in the "Key separator" field. ## How Has This Been Tested? I ran Graylog and checked the behavior when the option is configured: - replacement of `.` by `_` - warning if `.` present as key separator Added a test case where the option is set to `false` to check that dots are not replaced by underscores. ## Screenshots (if appropriate): ## Types of changes - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Refactoring (non-breaking change) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Checklist: - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] I have read the **CONTRIBUTING** document. - [x] I have added tests to cover my changes.

Also when removing the “compatibility.override_main_response_version: true” option from the wazuh-indexer breaks the filebeat ingestion. A combination of filebeat for Wazuh alerts and Graylog for other inputs seems not possible on this moment.

Regards,
Kris

parag.mk · December 13, 2023, 11:40am

Hello Kris,

I am using fluent-bit to forward logs. I am following below blog to setup the SOC.

Currently I am facing Wazuh API connection error.

INFO: No current API selected
INFO: Getting API hosts…
INFO: API hosts found: 1
INFO: Checking API host id [default]…
INFO: Could not connect to API id [default]: 3099 - ERROR3099 - Wazuh not ready yet
INFO: Removed [navigate] cookie
ERROR: No API available to connect

Regards,
Parag

parag.mk · December 13, 2023, 11:41am

parag.mk · December 13, 2023, 11:41am

system · December 27, 2023, 11:42am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fluent-Bit log forwarding to Graylog Development	4	2505	July 6, 2023
Error Parsing Wazuh data Graylog Central (peer support)	4	126	August 3, 2024
Graylog <-Fluent-bit<-Wazuh: Graylog Central (peer support)	4	437	May 11, 2024
Graylog integration with Wazuh-Indexer: No More Visualization in Wazu Graylog Central (peer support)	7	5160	August 15, 2023
While retrieving data for this widget, the following error(s) occurred: Elasticsearch exception Graylog Central (peer support)	2	1936	February 13, 2023

Logs not receiving on Graylog via Wazuh Manager (fluent-bit)

Related topics