adri9valle
commented
5 years ago Hi @xkilian,
Yes, the Wazuh App for Splunk can read multiple indexes coming from different Wazuh installations. For this, you need to the below steps:
Configure the inputs.conf file
The inputs.conf must contain the file or script that will feed it, in this case, will be the alerts.json. Also, you need to set the index name that must be unique for each instance and the sourcetype that always will be wazuh.
Let's suppose that we have two Wazuh instances, then we need to configure the inputs.file on each Wazuh instance, you need to create this file here /opt/splunkforwarder/etc/system/local.
- Instance 1:
[monitor:///var/ossec/logs/alerts/alerts.json]
disabled = 0
host = MANAGER_HOSTNAME
index = wazuh-1
sourcetype = wazuh- Instance 2:
[monitor:///var/ossec/logs/alerts/alerts.json]
disabled = 0
host = MANAGER_HOSTNAME
index = wazuh-2
sourcetype = wazuhIf you look at the previous configuration you can see that the content is the same except the index name wazuh-1 and wazuh-2.
Now the first instance will try to index the alerts in the wazuh-1 index and the second instance in the wazuh-2 index.
Configure the props.conf file
In the Wazuh managers you'll need to configure the props.conf file with a different index name to format the alert content. You need to crete this file here /opt/splunkforwarder/etc/system/local:
- Instance 1:
[wazuh-1]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
category = Application
disabled = false
pulldown_type = true- Instance 2:
[wazuh-2]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
category = Application
disabled = false
pulldown_type = trueConfigure the index.conf file
After configure your Wazuh instances with different index names you'll net to create this index in the Splunk indexer instance, for this let's edit the indexes.conf, the indexes file needs to be created in /opt/splunk/etc/system/local, and the content if we follow the previous example would be like this:
[wazuh-1]
coldPath = $SPLUNK_DB/wazuh1/colddb
enableDataIntegrityControl = 1
enableTsidxReduction = 1
homePath = $SPLUNK_DB/wazuh1/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/wazuh1/thaweddb
timePeriodInSecBeforeTsidxReduction = 15552000
tsidxReductionCheckPeriodInSec =
[wazuh-2]
coldPath = $SPLUNK_DB/wazuh2/colddb
enableDataIntegrityControl = 1
enableTsidxReduction = 1
homePath = $SPLUNK_DB/wazuh2/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/wazuh2/thaweddb
timePeriodInSecBeforeTsidxReduction = 15552000
tsidxReductionCheckPeriodInSec = Please be careful, look at the coldPath, homePath and thawdPath are differents like the index name.
After that, if you restart the Splunk instance you'll have two different indexes on Splunk to locate the Wazuh alerts from the different Wazuh instances.
Please ensure that the indexes created contain alerts, otherwise, you won't see them in Settings > Index.
I hope this helps you.
Please don't be hesitate if you have more doubts.
Regards,
We have a case where multiple wazuh installations are present and would be displayed in the same wazuh-splunk app but user roles would determine which indexes they are allowed to see. As the Wazuh apps are in two different operating zones with different admins and services.
Can the wazuh-splunk app read multiple indexes coming from Wazuh installations. The current UI has a simple dropdown to "Select Index".