Logs not receiving on Graylog via Wazuh Manager (fluent-bit)

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

Hello Community,

I’m doing my Internal SOC project to build SIEM stacks using open-source tools and I decided to use Graylog as part of log aggregation. However, I also use Wazuh Manager to collects logs from the endpoint and would be forwarding those logs using fluent-bit to Graylog. But, I got an error on graylog as shows below:

While retrieving data for this widget, the following error(s) occurred:

  • Elasticsearch exception [type=illegal_argument_exception, reason=key [types] is not supported in the metadata section].

2. Describe your environment:

  • OS Information: Debian 11

  • Package Version: 5.1

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

4. How can the community help?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Can you try removing “compatibility.override_main_response_version: true” from “/etc/wazuh-indexer/opensearch.yml” and restart the wazuh indexer and graylog?

That fixed it for me.

Hello Kris,
Thanks a lot!, its working.

Hi,

How is it going in general for the Wazuh and Graylog setup?
I am also running into other problems.

For example: Wazuh dashboard are created based on field names with a dot separator and Graylog does not supports this currently. Graylog replaces the dot from the json extractor before it forwards in into the Opensearch index.

Also when removing the “compatibility.override_main_response_version: true” option from the wazuh-indexer breaks the filebeat ingestion. A combination of filebeat for Wazuh alerts and Graylog for other inputs seems not possible on this moment.

Regards,
Kris

Hello Kris,

I am using fluent-bit to forward logs. I am following below blog to setup the SOC.

Currently I am facing Wazuh API connection error.

INFO: No current API selected
INFO: Getting API hosts…
INFO: API hosts found: 1
INFO: Checking API host id [default]…
INFO: Could not connect to API id [default]: 3099 - ERROR3099 - Wazuh not ready yet
INFO: Removed [navigate] cookie
ERROR: No API available to connect

Regards,
Parag

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.