# Wazuh - Filebeat configuration file

# Wazuh - Filebeat configuration file
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false

# Send events directly to Opensearch
output.elasticsearch:
  hosts:
{% for item in filebeat_output_indexer_hosts %}
  - {{ item }}:9200
{% endfor %}

{% if filebeat_security %}
  username: {{ indexer_security_user }}
  password: {{ indexer_security_password }}
  protocol: https
  ssl.certificate_authorities:
    - {{ filebeat_ssl_dir }}/root-ca.pem
  ssl.certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem"
  ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem"
{% endif %}

# Optional. Send events to Logstash instead of Opensearch
#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]