filebeat.yml - need to enable archive

[SimpraOmanDev]

i have configured wazuh in local kubernetes enviroment 1.32.2. and wazuh version is 4.11.
i need to enable archiving for the logs to keep for a long time and want to see them in kibana dashboard, i tried everything with filebeat.yml file to change the values of archive from disabled to enabled, but its not working. is there any straight forward way to achieve this, my filebeat is taking the new password for indexer from the kustomize as i changed all the password by following the steps on the wazuh docs and all is set. i want to see wazuh-archives* in the dashboard to find all the old logs and this way i can avoid using ELK to keep the logs and will relay only on the wazuh stack.

check the filebeat file below, i tried on both master and worker but the values are not changing by feeding the configMap or anything else. HELP PLEASE

bash-5.2# cat /etc/filebeat/filebeat.yml

Wazuh - Filebeat configuration file

filebeat.modules:

• module: wazuh
  alerts:
  enabled: true
  archives:
  enabled: false

setup.template.json.enabled: true
setup.template.overwrite: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.enabled: false
output.elasticsearch:
hosts: ['https://indexer:9200']

[SimpraOmanDev]

changed it from the pvc directly, as it was injected directly to the pvc and there was no other option to achieve it. :)

[coreyperkins]

Hi @SimpraOmanDev

I have ran into the same issue that you have. I am running my container as root so I could come up with some options to rewrite the filebeat.yml but I don't see anything as easy as flipping a switch. I'm new to wazuh, so take that fwiw.

It's worth noting that the filebeat.yml is updated as part of the init when deploying the docker image. See here.

For other reasons I have had to build my own images and hack the init scripts in the past. You may choose to go that route or you could write a script to update the filebeat.yml post-install.

A better alternative would be an env var on the StatefulSet.

If anyone has found any better options, post em!

Corey

[SimpraOmanDev]

Hi, @coreyperkins, i tried everything with init and env but nothing worked, the filebeat.yml file is readonly in the pod, so the easy and straight forward way was to hack into pvc, sudo vi filebeat.yml and change it to true for archives, it worked like a charm in different environments for me, with NFS and Longhorn both, longhorn gave a mini heart attack as i couldnt access it directly but then a mini pod helped and i could deatach from the wazuh and after editing i reattached it ...