# Wazuh - Filebeat configuration file

# Wazuh - Filebeat configuration file
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false


# Send events directly to Elasticsearch
output.elasticsearch:
  hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}

{% if filebeat_xpack_security %}
  username: {{ elasticsearch_xpack_security_user }}
  password: {{ elasticsearch_xpack_security_password }}
  protocol: https
{% if generate_CA == true %}
  ssl.certificate_authorities: 
    - {{node_certs_destination}}/ca.crt
{% elif generate_CA == false %}
  ssl.certificate_authorities:
    - {{node_certs_destination}}/{{ca_cert_name}}
{% endif %}

  ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt" 
  ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key"
{% endif %}

# Optional. Send events to Logstash instead of Elasticsearch
#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]