Last active
April 1, 2022 15:55
-
-
Save michelep/dbe84f7ebfda569ab368cbb8dae2a16a to your computer and use it in GitHub Desktop.
Wazuh 4.x index management
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| You can achieve this by setting the policy id in the /etc/filebeat/wazuh-template.json file (on the Wazuh nodes) and then reloading the template. For example, let's say that you have created your ISM policy on Elasticsearch with id wazuh-index-state-policy, | |
| Edit the wazuh-template.json file. | |
| Add the line "opendistro.index_state_management.policy_id": "wazuh-index-state-policy" inside the settingsobject: | |
| "opendistro" : { | |
| "index_state_management" : { | |
| "policy_id" : "hot_warm_delete_workflow" | |
| } | |
| }, | |
| Reload the template into Elasticsearch: filebeat setup --index-management | |
| You can check that the template was successfully loaded going into Kibana -> DevTools and executing: GET /_template/wazuh | |
| Let me know if this helped! | |
| More info: | |
| https://wazuh.com/blog/wazuh-index-management/ (Check the paragraph For this to be applied to indices created in the future you must change the index template to include this policy. Run the following commands on the Wazuh Manager's command line:) | |
| https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-template.html#load-template-manually |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment