afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5d006cbc3a
wazuh-ansible-4.8.1/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2

67 lines
2.0 KiB
Django/Jinja
Executable File
Raw Blame History

# Wazuh - Filebeat configuration file
filebeat.inputs:
- type: log
paths:
- '/var/ossec/logs/alerts/alerts.json'
setup.template.json.enabled: true
setup.template.json.path: "/etc/filebeat/wazuh-template.json"
setup.template.json.name: "wazuh"
setup.template.overwrite: true
processors:
- decode_json_fields:
fields: ['message']
process_array: true
max_depth: 200
target: ''
overwrite_keys: true
- drop_fields:
fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
- rename:
fields:
- from: "data.aws.sourceIPAddress"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- rename:
fields:
- from: "data.srcip"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- rename:
fields:
- from: "data.win.eventdata.ipAddress"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
# Send events directly to Elasticsearch
output.elasticsearch:
hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}
#pipeline: geoip
indices:
- index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'
{% if filebeat_xpack_security %}
username: {{ elasticsearch_xpack_security_user }}
password: {{ elasticsearch_xpack_security_password }}
protocol: https
ssl.certificate_authorities:
- {{node_certs_destination}}/ca.crt
ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt"
ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key"
{% endif %}
# Optional. Send events to Logstash instead of Elasticsearch
#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]
Reference in New Issue View Git Blame Copy Permalink