Unkown Key in Elasticsearch Template (elastic stack 8.3.3)

elastic stack(filebeat,elasticsearch,kibana,elastic-agent,logstash) => 8.3.3
OS: Ubuntu 22.04
Agents: linux base
I wanted to run Wazuh manager with Elastic 8.3.3, the Wazuh plugin can't be installed with elastic, I made custom changes in the filebeat configuration file, everything is ok, but I can't see any data in the Discover section, and I see an error in the filebeat log.
my wazuh manager is seed log and status is runing

command: filebeat setup

// filebeat log
Exiting: error loading template: failed to load template: couldn't load template: 400 Bad Request: {"error":{"root_cause":[{"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"}],"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"},"status":400}. Response body: {"error":{"root_cause":[{"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"}],"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"},"status":400}
// end log 

filebeat config :

  hosts: [""]
  username: "beats_system"
  password: "Jzbi95h7Vp7FTd%"
  protocol: https
  ssl.verification_mode: certificate
  ssl.certificate_authorities:  /etc/logstash/certs/ca_1685533466292.crt

  - module: wazuh
      enabled: true
      enabled: false

setup.template.json.enabled: true
setup.template.json.path: /etc/filebeat/wazuh-template.json
setup.template.json.name: wazuh
setup.template.overwrite: true
setup.ilm.enabled: false

logging.metrics.enabled: false

logging.level: debug

  default_action: allow
  - action: allow
    - rseq

** wazuh-template.json**

  "order": 0,
  "index_patterns": [
  "settings": {
    "index.refresh_interval": "5s",
    "index.number_of_shards": "3",
    "index.number_of_replicas": "0",
    "index.auto_expand_replicas": "0-1",
    "index.mapping.total_fields.limit": 10000,
    "index.query.default_field": [
  "version": 1

filebeat test output

  parse url... OK
    parse host... OK
    dns lookup... OK
    dial up... OK
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 8.3.3

but not receive wazuh log just get filebeat log


Wazuh is a third-party tool and it is not supported here, any issue with templates from wazuh you need to check with the Wazuh community.

But from what you shared, this template is using the legacy format that used the _template endpoint, which is deprecated, and if I'm not wrong filebeat will use the _index_template endpoint.

You will need to load your template manually and not using filebeat.

You are receiving the Wazuh logs, the full_log field comes from Wazuh, you are just not parsing it, you will need to load the Wazuh ingest pipeline manually as well.

But as I said, you need to check with the Wazuh community.

Hello, I wanted to combine the ansible tool with elastic security, is it possible? is hard ?
and not use wazuh .

It is not clear what you mean or what you want to do, ansible is an automation tool, it has nothing to do with Wazuh or Elastic Security.

Can you provide more context?

My problem was solved. I changed the version to 7.17 elastic security and installed the wazuh plugin. Thank you for your guidance

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.