ELK 6.5.4

Hello everybody,
My objective is to facilitate and customize the display of alerts (format date, recover the real PID of the log before transformation, etc...)
Early January 2019, installation Docker ELK 6.5.4 (Wazuh, Logstash, Elasticsearch, Nginx HTTPS and Kibana)
Agent wazuh installed on the monitored machines (Ubuntu, Windows...).
Launch of supervisor by Docker-compose.
Kibana is operational and remounted logs as well.
Alerts are visible in the Kibana interface.
From Discover, then from the filter, then clicking on the Start button of the log, 2 under Columns appears (Table and JSON).
Is it possible to change one of these tables that will allow you to customize the view?
It seems to me that from filter created and integrated with Logstash.YML, I can customize formats such as "@timestamp ", etc..
What is the way to display alerts in the Kibana interface with the least manipulation possible and optimized for example.
The same goes for the integrity logs.
Thank you

In the discover interface if you expand one of the row items there are three icons next to the fields

Click on the third icon from the left, look like a box split in two, to add that field as a column. You can remove then by hovering over the field header in the table and clicking the x.

Thank you for this information this is already what I have experienced and which does not fully answer what I would like.

By adding in Logstash. conf "(Adding the parameter " Grock" as follows) and in Kibana conf "Wazuh-elastic6-template-alerts.JSON " (modified " Order ": 0, + " template ": " Alerts-X-* ",) This could allow me to display Custom?

grok {
match => ["message", "[%{TIMESTAMP_ISO8601:timestamp}][%{DATA:loglevel}%{SPACE}][%{DATA:source}%{SPACE}][%{DATA:node}]%{SPACE}
[%{DATA:syslog_program}%{SPACE}][%{POSINT:syslog_pid}]%{SPACE}][%{DATA:index}]%{NOTSPACE}[%{DATA:updated-type}]
[%{NOTSPACE:Index}][%{NUMBER:shards}]

Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.