Hi Maxim, How are you forwarding the alerts/archives to Kibana?
I think you will need the archives JSON output setting, if you are using Wazuh <http://wazuh.com/>, edit *ossec.conf *and add the following setting: <global> > *<logall_json>yes</logall_json>* > </global> Once you do it, you will find new archives.json events files at: /var/ossec/logs/archives/archives.json The next step is forward these archives events to Elasticsearch, in order to do it we need to edit Logstash configuration. My personal advice to index archives events is to create a dedicated index pattern just for them, so you will be able to distinguish between events and alerts, adding inside "output" section the following configuration: output { if [type] == "ossec-alerts" { elasticsearch { hosts => ["127.0.0.1:9200"] index => "ossec-%{+YYYY.MM.dd}" document_type => "ossec" template => "/etc/logstash/elastic-ossec-template.json" template_name => "ossec" template_overwrite => true } } if [type] == "ossec-archives" { elasticsearch { hosts => ["127.0.0.1:9200"] index => "ossec-archives-%{+YYYY.MM.dd}" document_type => "ossec" template => "/etc/logstash/elastic-ossec-template.json" template_name => "ossec" template_overwrite => true } } } Later in Kibana you will need to create a new index pattern (Settings->indices) matching for "ossec-archives-*". If you need to "reindex" or read the a log file from the beginning using Logstash, you can use the file input with option *start_position *set to *beginning *(+ info) <https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html#plugins-inputs-file-start_position> On Monday, May 30, 2016 at 4:53:10 PM UTC+2, Maxim Surdu wrote: > > i have this archives files with logs but in kibana i can not see them can > i reindex this files? > if i can, please help me step by step > > joi, 19 mai 2016, 10:17:51 UTC+3, Maxim Surdu a scris: >> >> Hi dear community, >> >> i had a problem with logstash, after i resolve it i saw what in kibana >> are missing logs, how can i resolve the problem and reindexing all my logs >> to kibana >> I will be thankful if someone will help me step by step >> >> >> i appreciate your help, and a lot of respect for developers and community! >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
