Skip to content

Add wazuh specific format to docs #672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 26, 2024
Merged

Add wazuh specific format to docs #672

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c877415
Update file.md
LaurenceJJones Nov 18, 2024
f477484
Merge branch 'main' into wazuh_file_plugin
LaurenceJJones Dec 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions crowdsec-docs/docs/local_api/notification_plugins/file.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,10 @@ Some SIEM agents may not support some top level keys we define in the default nd

### SIEM Integration

:::warning
Please note if you change the format that is printed to the file you must also configure the collector on the SIEM side to also expect the same format
:::

#### Filebeat

Filebeat has a set of reserved top level keys and should not be used in the ndjson format. The following format can be used to be compatible with Filebeat:
Expand All @@ -61,6 +65,16 @@ format: |
{ "time": "{{.StopAt}}", "source": "crowdsec", "alert": {{. | toJson }} }
{{ end -}}
```
#### Wazuh

Wazuh has set of reserved top level keys and may cause logs not to be sent by the agent. The following format can be used to be compatible with Wazuh:

```yaml
format: |
{{range . -}}
{ "crowdsec": { "time": "", "program": "crowdsec", "alert": {{. | toJson }} }}
{{ end -}}
```

## Testing the plugin

Expand Down
Loading