Unkown Key in Elasticsearch Template (elastic stack 8.3.3)

Elastic Stack Beats
,
1

elastic stack(filebeat,elasticsearch,kibana,elastic-agent,logstash) => 8.3.3
OS: Ubuntu 22.04
Agents: linux base
I wanted to run Wazuh manager with Elastic 8.3.3, the Wazuh plugin can't be installed with elastic, I made custom changes in the filebeat configuration file, everything is ok, but I can't see any data in the Discover section, and I see an error in the filebeat log.
my wazuh manager is seed log and status is runing

command: filebeat setup

// filebeat log
Exiting: error loading template: failed to load template: couldn't load template: 400 Bad Request: {"error":{"root_cause":[{"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"}],"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"},"status":400}. Response body: {"error":{"root_cause":[{"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"}],"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"},"status":400}
// end log

filebeat config :


output.elasticsearch:
  hosts: ["172.16.103.74:9200"]
  username: "beats_system"
  password: "Jzbi95h7Vp7FTd%"
  protocol: https
  ssl.verification_mode: certificate
  ssl.certificate_authorities:  /etc/logstash/certs/ca_1685533466292.crt

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

setup.template.json.enabled: true
setup.template.json.path: /etc/filebeat/wazuh-template.json
setup.template.json.name: wazuh
setup.template.overwrite: true
setup.ilm.enabled: false


logging.metrics.enabled: false

logging.level: debug

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq

** wazuh-template.json**

{
  "order": 0,
  "index_patterns": [
    "wazuh-alerts-4.x-*",
    "wazuh-archives-4.x-*"
  ],
  "settings": {
    "index.refresh_interval": "5s",
    "index.number_of_shards": "3",
    "index.number_of_replicas": "0",
    "index.auto_expand_replicas": "0-1",
    "index.mapping.total_fields.limit": 10000,
    "index.query.default_field": [
				*
				*
				*
				*
  "version": 1
}

filebeat test output

elasticsearch: https://172.16.103.74:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 172.16.103.74
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 8.3.3

but not receive wazuh log just get filebeat log

Capture2
Capture21503×351 82.5 KB

2

Hello,

Wazuh is a third-party tool and it is not supported here, any issue with templates from wazuh you need to check with the Wazuh community.

But from what you shared, this template is using the legacy format that used the _template endpoint, which is deprecated, and if I'm not wrong filebeat will use the _index_template endpoint.

You will need to load your template manually and not using filebeat.

You are receiving the Wazuh logs, the full_log field comes from Wazuh, you are just not parsing it, you will need to load the Wazuh ingest pipeline manually as well.

But as I said, you need to check with the Wazuh community.

3

Hello, I wanted to combine the ansible tool with elastic security, is it possible? is hard ?
and not use wazuh .

4

It is not clear what you mean or what you want to do, ansible is an automation tool, it has nothing to do with Wazuh or Elastic Security.

Can you provide more context?

5

My problem was solved. I changed the version to 7.17 elastic security and installed the wazuh plugin. Thank you for your guidance

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.