Wazuh SIEM + Winlogbeat

IvanYboa · December 20, 2021, 4:31pm

Hi!
I'm new at Elasticsearch and I'm implementing the SIEM Wazuh. The team of wazuh has their own agent to collect the logs, but in the company where I'm working want that some machines run the Wazuh agents and other machines run with Winlogbeat.
Currently the wazuh index work as expected, the problem is that I don´t know how to ingest and index the Winlogbeat logs (and work along with wazuh index). So my questions are next:

Do I need a single node for each type of logs (Winlogbeat and Wazuh)?
And how can I load this different kind of index in Kibana?
Thank you!

leandrojmp · December 31, 2021, 2:33pm

You can't mix the data from Winlogbeat with the data from Wazuh, they have different fields and mappings, so you need to use different indices, one for the data from wazuh agents and another one from the data from winlogbeat agents.

For winlogbeat can just follow the documentation and it will help you to create the dashboards and mappings so you are able to see the data in Kibana.

IvanYboa · January 7, 2022, 6:21pm

Thank you for the answer, so there is no problem if I collect the data from wazuh and winlogbeat in the same node?

As you say, I can't mix the data in the same index, so there is no problem if I ingest the two types of data in the same node?

system · February 4, 2022, 6:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash and filebeat SIEM	2	375	June 18, 2021
Filebeat to analyze xml logs Logs	9	745	October 4, 2023
Winlogbeat via Logstash into Elasticsearch Logstash	18	7711	July 22, 2017
Elastic SIEM for MSSP SIEM	7	2164	July 9, 2020
Split up indices based on? tags? Logstash	2	4194	November 17, 2017

Wazuh SIEM + Winlogbeat

Related Topics