Wazuh Index settings

Question

Hello everybody I hope you all doing well. I have an issue with Wazuh indexes. Alerts from agents coming to manager wazuh, I set in every configuration to use index filebeat-* and its kind of working. In Kibana web I can see that every day is created new indices ex. filebeat-2022.02.19. But ... there is also created indices wazuh-statistics and wazuh-monitoring. It contains many alerts, but I want wazuh to use only single one filebeat-*.

Indices

I deleted those indexes. I deleted templates for these indexes. I set wazuh-template.json and all configs in /usr/share/filebeat/module/wazuh and /usr/share/kibana to use only filebeat-* .... but new indices with data is creating.
Could you please help me with that? Thank you.

Answer 1

Is there a specific reason that you need to have alerts registered into filebeat indices?

According to the documentation, every default index has a particular purpose, and it is suggested to use them as provided for better compatibility.

• The .wazuh index stores Wazuh API credentials and useful information about the Wazuh manager currently being used
• The .wazuh-version index includes information such as your current version or your installation date.
• The .kibana index is used by kibana itself and stores information regarding wazuh indices. It is not meant to be modified by the user.
• wazuh-alerts-* store the actual alert data. You can change their names but it is still recommended to keep them separated.
• The wazuh-monitoring-* indices keep agent information. For these you can configure insertion frequency. They can be disabled, but you would loose the "Agents status" visualization from the Overview dashboard in the Wazuh Kibana plugin.

I'm sure you can achieve your goal in an officially supported manner.

Regards, Fede