You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: source/getting-started/components/wazuh-indexer.rst
+7-94Lines changed: 7 additions & 94 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,109 +8,22 @@ Wazuh indexer
8
8
9
9
The Wazuh indexer is a highly scalable, full-text search and analytics engine. This Wazuh central component indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. The Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability.
10
10
11
-
The Wazuh indexer stores data as JSON documents. Each document correlates a set of keys, field names or properties, with their corresponding values which can be strings, numbers, booleans, dates, arrays of values, geolocations, or other types of data.
11
+
The Wazuh indexer stores data as JSON documents. Each document correlates a set of keys, field names, or properties with their corresponding values, which can be strings, numbers, Boolean values, dates, arrays of values, geolocations, or other types of data.
12
12
13
-
An index is a collection of documents that are related to each other. The documents stored in the Wazuh indexer are distributed across different containers known as shards. By distributing the documents across multiple shards, and distributing those shards across multiple nodes, the Wazuh indexer can ensure redundancy. This protects your system against hardware failures and increases query capacity as nodes are added to a cluster.
13
+
An index is a collection of related documents. The documents stored in the Wazuh indexer are distributed across different containers known as shards. By distributing the documents across multiple shards and distributing those shards across various nodes, the Wazuh indexer can ensure redundancy. This protects your system against hardware failures and increases query capacity as nodes are added to a cluster.
14
14
15
-
Wazuh uses four different indices to store different event types:
| **wazuh** |--| **alerts** | Stores alerts generated by the :doc:`/getting-started/components/wazuh-server`. These are created each time an event trips a rule with a high enough priority (this threshold is configurable). |
| **wazuh** |--| **archives** | Stores all events (archive data) received by the :doc:`/getting-started/components/wazuh-server`, whether or not they trip a rule. |
| **wazuh** |--| **monitoring** | Stores data related to the :doc:`/getting-started/components/wazuh-agent` status over time. It is used by the web interface to represent when individual agents are or have been ``Active``, ``Disconnected``, or ``Never connected``. |
| **wazuh** |--| **statistics** | Stores data related to the :doc:`/getting-started/components/wazuh-server` performance. It is used by the web interface to represent the performance statistics. |
You can interact with the Wazuh indexer cluster using the Wazuh indexer REST API, which offers a lot of flexibility. You can perform searches, add or delete documents, modify indices, and more.
42
-
43
-
Here is an example of a query to Wazuh indexer that returns the last lateral movement alert using SSH technique:
Below is an extract of the query result, which is a part of the indexed alert document:
23
+
Wazuh uses several types of indices to store different event types. For details, see the :doc:`Wazuh indexer indices </user-manual/wazuh-indexer/wazuh-indexer-indices>` section of the documentation.
"full_log" : "Apr 24 17:24:55 ip-10-0-1-52 sshd[32179]: Did not receive identification string from 68.183.216.91 port 53820",
97
-
"location" : "/var/log/secure",
98
-
"predecoder" : {
99
-
"hostname" : "ip-10-0-1-52",
100
-
"program_name" : "sshd",
101
-
"timestamp" : "Apr 24 17:24:55"
102
-
},
103
-
"decoder" : {
104
-
"parent" : "sshd",
105
-
"name" : "sshd"
106
-
},
107
-
"GeoLocation" : {
108
-
"city_name" : "Frankfurt am Main",
109
-
"country_name" : "Germany",
110
-
"region_name" : "Hesse"
111
-
}
112
-
}
25
+
The Wazuh indexer is well-suited for time-sensitive use cases like security analytics and infrastructure monitoring, as it is a near real-time search platform. The latency from the time a document is indexed until it becomes searchable is very short, typically one second.
113
26
114
-
The Wazuh indexer is well suited for time-sensitive use cases like security analytics and infrastructure monitoring as it is a near real-time search platform. The latency from the time a document is indexed until it becomes searchable is very short, typically one second.
27
+
In addition to its speed, scalability, and resiliency, the Wazuh indexer has several built-in features that make storing and searching data even more efficient, such as data roll-ups, alerting, anomaly detection, and index lifecycle management.
115
28
116
-
In addition to its speed, scalability, and resiliency, the Wazuh indexer has several built-in features that make storing and searching data even more efficient, such as data rollups, alerting, anomaly detection, and index lifecycle management.
29
+
Visit the :doc:`installation guide </installation-guide/wazuh-indexer/index>` and :doc:`user manual </user-manual/wazuh-indexer/index>` for more information about the Wazuh indexer.
0 commit comments