Setting up Elasticsearch time-based indices

November 27th 2018 | by Javier Castro | Wazuh 3.7

When you use Wazuh’s default configuration for the Elastic Stack (by following the installation guide) alerts are indexed in elasticsearch with the following naming convention:

wazuh-alerts-3.x-YYYY.MM.dd

This means you are not only specifying an index name, but also defining daily indices for your alerts.

Setting up Elasticsearch. Indices tab on Kibana dashboard.

This behaviour is laid out in the Logstash configuration file:

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
        document_type => "wazuh"
    }
}

The pipeline’s output specifies the index name the alert will end up belonging to.

Logstash takes care of creating the index in case it is not present in elasticsearch.

To change the index name you can modify index => “wazuh-alerts-3.x-%{+YYYY.MM.dd} to something like:

index => "my-wazuh-alerts-3.x-%{+YYYY.MM.dd}"

If you want to change the temporization for index creation you need to modify the last part of the same line.

For example, for weekly indices:

index => "my-wazuh-alerts-3.x-%{+xxxx.ww}"

Keep in mind that index temporization has an impact in your cluster because it affects your indices size which, in turn, affects the size of your shards.

If you change the temporization you should rethink your shard index settings.

References

If you have any questions about this, don’t hesitate to check out our documentation to learn more about Wazuh or join our community where our team and contributors will help you.

Setting up Elasticsearch time-based indices

References

Detecting Living Off the Land attacks with Wazuh

Wazuh and Diamatix Forge Strategic Partnership to Bolster Cybersecurity Solutions

Kuiper ransomware detection and response with Wazuh

Wazuh and Wattle Tech sign a partnership agreement