Wazuh - Filebeat pipeline.json

Romain_Hennebois · April 14, 2025, 7:06am

Hi guys,

I recently configured the pipeline.json file to segregate logs into multiple indexes, but no one has been able to answer my question. The question is: Is it possible to send the unseparated logs into the default index (wazuh-alerts-*) and not send the already separated logs from this index to avoid duplicates.

What I really want to do is:

Separate my logs into different indexes.
Use the default index for logs not matched by a condition in the pipeline.json file to avoid duplicates.

Here is my pipeline.json file:

{
  "date_index_name": {
    "if": "ctx?.rule?.description == 'Proxy: Howlite event'",
    "field": "timestamp",
    "date_rounding": "d",
    "index_name_prefix": "{{fields.index_prefix}}proxy-",
    "index_name_format": "yyyy.MM.dd",
    "ignore_failure": true
  }
},
{
  "date_index_name": {
    "if": "ctx?.location == '/var/log/maillog' || ctx?.full_log?.contains('postfix')",
    "field": "timestamp",
    "date_rounding": "d",
    "index_name_prefix": "{{fields.index_prefix}}mail-",
    "index_name_format": "yyyy.MM.dd",
    "ignore_failure": true
  }
},
{
  "date_index_name": {
    "if": "ctx?.location == '/var/log/auth.log'",
    "field": "timestamp",
    "date_rounding": "d",
    "index_name_prefix": "{{fields.index_prefix}}auth-",
    "index_name_format": "yyyy.MM.dd",
    "ignore_failure": true
  }
},
{
  "date_index_name": {
    "if": "ctx?.location?.startsWith('/var/log/nginx/') || ctx?.location?.startsWith('/var/log/apache2/')",
    "field": "timestamp",
    "date_rounding": "d",
    "index_name_prefix": "{{fields.index_prefix}}webserver-",
    "index_name_format": "yyyy.MM.dd",
    "ignore_failure": true
  }
},
{
  "date_index_name": {
    "if": "ctx?.agent?.name == 'vm-zosma.dmzappli.lan' && (ctx?.location == '/var/log/messages' || ctx?.location == '/var/log/slapd-ltb/slapd.log') || ctx?.agent?.name == 'vm-denebola.dmzappli.lan' && (ctx?.location == '/var/log/messages' || ctx?.location == '/var/log/slapd-ltb/slapd.log')",
    "field": "timestamp",
    "date_rounding": "d",
    "index_name_prefix": "{{fields.index_prefix}}ldap-",
    "index_name_format": "yyyy.MM.dd",
    "ignore_failure": true
  }
},
{
  "date_index_name": {
    "if": "ctx?.location == '/var/log/syslog' && !(ctx?.rule?.description == 'Proxy: Howlite event' || ctx?.full_log?.contains('postfix'))",
    "field": "timestamp",
    "date_rounding": "d",
    "index_name_prefix": "{{fields.index_prefix}}syslog-",
    "index_name_format": "yyyy.MM.dd",
    "ignore_failure": true
  }
},
{
  "date_index_name": {
    "if": "ctx?.agent?.name != '/var/log/syslog'",
    "field": "timestamp",
    "date_rounding": "d",
    "index_name_prefix": "{{fields.index_prefix}}",
    "index_name_format": "yyyy.MM.dd",
    "ignore_failure": false
  }
},

Thanks

Topic		Replies	Views
Duplicate content in indexes Logstash	5	703	June 12, 2018
Logstash and multi filebeat index (different) Logstash	2	1332	June 26, 2017
Beats and logstash Logstash elastic-stack-monitoring	8	683	April 6, 2019
Filebeat to analyze xml logs Logs	9	835	October 4, 2023
Aggregated Logs and Reformatting for QRADAR Logstash	2	501	September 3, 2022

Wazuh - Filebeat pipeline.json

Related topics