Indexer integration
The indexer integration describes data forwarders that forward data from the Wazuh manager to the Wazuh indexer or third-party indexers.
Wazuh indexer
This integration provides a bridge between the Wazuh manager and the Wazuh indexer. It forwards data from the Wazuh manager to the Wazuh indexer for indexing. The Wazuh indexer integration consists of two forwarders: Filebeat and Wazuh indexer connector.
Filebeat
This component is a lightweight data shipper designed to securely forward alerts and archived events processed by the Wazuh manager to the Wazuh indexer for indexing and storage. It reads the output of the Wazuh analysis engine and ships events in real time.
Configuration
The code block below shows the default Filebeat configuration on the Wazuh server /etc/filebeat/filebeat.yml file. This configuration file is downloaded while performing step by step Wazuh server installation. To learn how to download, configure, and install Filebeat, refer to the configuring Filebeat section in the documentation.
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:
        - 127.0.0.1:9200
#        - <elasticsearch_ip_node_2>:9200
#        - <elasticsearch_ip_node_3>:9200
output.elasticsearch:
  protocol: https
  username: ${username}
  password: ${password}
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/wazuh-server.pem"
  ssl.key: "/etc/filebeat/certs/wazuh-server-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    Archives:
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644
logging.metrics.enabled: false
seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq
Where:
- <output.elasticsearch.hosts>specifies the list of Wazuh indexer nodes to connect to. You can use either IP addresses or hostnames. By default, the host is set to localhost,- 127.0.0.1:9200. Replace it with your Wazuh indexer address accordingly. You can separate the addresses using commas if you have more than one Wazuh indexer node.
- <protocol>specifies the protocol to use for the connection. The default value is- https. The allowed values are- httpand- https.
- <username>and- <password>specifies the environment variable used to authenticate to the Wazuh indexer securely.
- <ssl.certificate_authorities>specifies the path to the root certificates for HTTPS server verifications. The default value is- /etc/filebeat/certs/root-ca.pem. The possible value is any valid path
- <ssl.certificate>specifies the path to the Filebeat SSL certificate. The default value is- /etc/filebeat/certs/wazuh-server.pem. The possible value is any valid path.
- <ssl.key>specifies the path to the SSL key used by Filebeat. The default value is- /etc/filebeat/certs/wazuh-server-key.pem. The possible value is any valid path.
- <setup.template.json.enabled>enables or disables the use of custom templates. The default value is- true.
- <setup.template.json.path>specifies the file path to the template JSON file. The default value is- /etc/filebeat/wazuh-template.json. The possible value is any valid path.
- <setup.template.json.name>defines the name of the template. The default value is- wazuh.
- <setup.ilm.overwrite>when set to- true, the lifecycle policy is overwritten at startup. The default value is- true.
- <setup.ilm.enabled>enables or disables index lifecycle management on any new indices created. The default value is- false. The possible valid values are- trueand- false.
- <filebeat.modules>specifies the modules Filebeat will use.
- <module>defines the module to use. The default value is- wazuh.
- <alerts>enables or disables the forwarding of alerts to the Wazuh indexer. When the configuration option of- <enabled>is set to- true, alerts are forwarded to the Wazuh indexer.
- <archives>specifies the configurations that determine whether or not archive logs are processed and forwarded.
- <logging.level>defines the log level. The default value is- infowhich represents informational logs. The other log level are- debug,- error, and- warning.
- <logging.to_files>enables or disables logging to files. The default value is- true. When set to- true, filebeat writes all logs to a file.
- <logging.files.path>specifies the directory where log files will be stored. The default log path is- /var/log/filebeat.
- <logging.files.name>specifies the name of the file that logs are stored. The default name is- filebeat.
- <logging.files.keepfiles>specifies the number of recently rotated log files to retain. The default value is- 7. The allowed value is an integer number between- 1and- 1024.
- <logging.files.permissions>sets the file permissions for the log files. The default value is- 0644, which implies that the owner of the log files can read and write to them, while others can only read.
- <logging.metrics.enabled>enables or disables the logging of internal metrics. The default value is- true. The possible values are- trueand- false.
- <seccomp>specifies a secomp (secure computing mode) policy that restricts the number of system calls filebeat process can issue.
- <default_action>sets the default action for system calls to allow. This means that any system call not explicitly specified in the syscalls list will be allowed by default.
- <syscalls>defines a list of system call names and the corresponding actions.
- <action>specifies the action to take when any of the system calls listed in- namesis executed. The default value is- allow. The other values are- errno,- trace,- trap,- kill_thread,- kill_process, and- log.
- <names>defines a list of system call names. A minimum of one system call must be defined in the list. The- rseq(restartable sequences) system call is used to accelerate user-space operations on shared memory across multiple threads. The- rseqsystem call is allowed in this configuration.
Wazuh indexer connector
The Wazuh indexer connector currently receives vulnerability data from the Wazuh manager and securely forwards it to the Wazuh indexer. It gets the vulnerability data in JSON format following the Elastic Common Schema (ECS) and synchronizes its state with the Wazuh indexer to ensure data consistency and reliability. The Wazuh indexer connector is shipped together with the Wazuh manager.
The standard configuration for the indexer connector is specified in the /var/ossec/etc/ossec.conf file on the Wazuh server as shown below:
<ossec_config>
 <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://127.0.0.1:9200</host>
    </hosts>
    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
    </ssl>
  </indexer>
</ossec_config>
Where:
- <indexer>specifies the configuration options for the Wazuh indexer connector.
- <enabled>enables or disables the Wazuh indexer connector. The allowed values for this option are- yesand- no. The value- yesenables the Wazuh indexer connector and- nodisables it. The default value is- yes.
- <hosts>specifies a list of Wazuh indexer nodes to connect to. Use the- hostoption for setting up each node connection.
- <host>specifies the Wazuh indexer node URL or IP address to connect to. For example,- http://172.16.1.11or- 192.168.3.2:9230. By default, the value is set to the localhost host:- https://127.0.0.1:9200.
- <ssl>specifies the configuration options for the SSL parameters.
- <certificate_authorities>specifies a list of root certificate file paths for verification. Use the- caoption for setting up each CA certificate file path.
- <ca>specifies the root CA certificate for HTTPS server verifications. The default value is- /etc/filebeat/certs/root-ca.pem. The possible value is any valid CA certificate.
- <certificate>specifies the path to the Filebeat SSL certificate. The default value is- /etc/filebeat/certs/filebeat-key.pem. The possible value is any valid key.
- <key>specifies the certificate key used for authentication. The default value is- /etc/filebeat/certs/filebeat-key.pem. The possible value is any valid key.
You can learn more about the available configuration options in the indexer section of the reference guide.
Third-party indexers
The Wazuh manager can forward alerts to third-party indexers. If you are using the Wazuh managers solely for log analysis and wish to forward alerts to third-party solutions for indexing and storage, there are alternative options available. Wazuh allows you to install the data forwarder of your choice on each Wazuh manager node to transfer the alerts to your desired solution. At the moment, Wazuh provides documentation for the following third-party solutions:
| Solution | Description | 
|---|---|
| Forwarding Wazuh manager alerts to ELK Stack using Logstash. | |
| Forwarding Wazuh manager alerts to OpenSearch using Logstash. | |
| Forwarding Wazuh manager alerts to Splunk using Logstash. | |
| Forwarding Wazuh server alerts to Splunk using the Splunk Universal Forwarder. | 
These options provide flexibility in integrating Wazuh with your existing monitoring and analytics infrastructure.