Wazuh SIEM + Winlogbeat

IvanYboa · December 20, 2021, 4:31pm

Hi!
I'm new at Elasticsearch and I'm implementing the SIEM Wazuh. The team of wazuh has their own agent to collect the logs, but in the company where I'm working want that some machines run the Wazuh agents and other machines run with Winlogbeat.
Currently the wazuh index work as expected, the problem is that I don´t know how to ingest and index the Winlogbeat logs (and work along with wazuh index). So my questions are next:

Do I need a single node for each type of logs (Winlogbeat and Wazuh)?
And how can I load this different kind of index in Kibana?
Thank you!

leandrojmp · December 31, 2021, 2:33pm

You can't mix the data from Winlogbeat with the data from Wazuh, they have different fields and mappings, so you need to use different indices, one for the data from wazuh agents and another one from the data from winlogbeat agents.

For winlogbeat can just follow the documentation and it will help you to create the dashboards and mappings so you are able to see the data in Kibana.

IvanYboa · January 7, 2022, 6:21pm

Thank you for the answer, so there is no problem if I collect the data from wazuh and winlogbeat in the same node?

As you say, I can't mix the data in the same index, so there is no problem if I ingest the two types of data in the same node?

system · February 4, 2022, 6:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash and filebeat SIEM	2	375	June 18, 2021
Filebeat to analyze xml logs Logs	9	754	October 4, 2023
Question on populating SIEM dashboard with winlogbeat data and Logstash SIEM	2	395	October 28, 2020
Duplicate content in indexes Logstash	5	692	June 12, 2018
Combine / Correlate different logs Kibana	3	821	October 9, 2017

Wazuh SIEM + Winlogbeat

Related topics