Wazuh Index Management Policy

In this post, I show how to manage your Wazuh Indexer indices in order to improve performance and manage disk space consumed by indices.
Wazuh Index Management Policy
In: Wazuh, SIEM, Defend, Home Lab

A Brief Introduction

The general architecture of the Wazuh stack looks like this. This is a simplification, but the general purpose is to show how the pieces fit together.

	[Wazuh Indexer] ˂――――――˃ [Wazuh Dashboards]
				˄													^
				│													│
				│													│
	[Wazuh Manager] <――――{Wazuh API Client}
				˄
				│
				│
				˅
	[Wazuh Agent]
  • The Wazuh Agent is installed on any endpoints to be monitored
  • The Wazuh Manager can act as a configuration manager over the endpoints and receives logs from any files being monitored by the agent(s)
    • Once the Manager receives the logs from the endpoint(s), it decodes them so that it can analyze various fields from the logs
    • It then parses the decoded fields to see if any rules match against the fields in the logs
    • If a rule matches against a log event, Wazuh Manager triggers an alert and outputs the alert in JSON and forwards it to the Wazuh Indexer using Filebeat
  • The Wazuh Indexer takes the JSON alert from the Wazuh Manager and stores it in an index
  • The Wazuh Dashboards service is used to read documents from the indices in Wazuh Indexer





Wazuh Indexer and Wazuh Dashboards

In the past, Wazuh shipped with OpenDistro for Elasticsearch and Kibana. OpenDistro was forked some time ago off the formerly open-source code base of Elasticsearch by Amazon.

Amazon later released the OpenSearch product which still looks and feels like Elasticsearch and Kibana under the hood, but Elastic and OpenSearch should be considered two different products.

When Wazuh released version 4.3, they forked their own version of OpenSearch and Dashboards to more tightly integrate with the Wazuh ecosystem. They renamed their fork of OpenSearch Indexer and Dashboards to Wazuh Indexer and Wazuh Dashboards. In terms of look and feel and performance, there is not much difference.





Index Management Policy

The Index Management Policy is a document that tells Wazuh Dashboards how to handle indices that meet a certain requirement. For example, a very common Index Management Policy would be:

  • Move indices older than 30 days to read-only and cold-storage
  • Delete indices older than 90 days

If you don't have an Index Management Policy, old indices will not be trimmed, will fill up your disk space, and likely cause performance issues or service crashes. Also, by trimming your indices, you will improve your search performance and read times.

Identifying Indices to Manage

Log into Wazuh Dashboards (aka Kibana), and click the hamburger menu in the top left. Then, scroll down to OpenSearch Plugins and click Index Management.

Then, click Indices.

There is likely going to be a lot of indices in here. Don't worry, we'll be using a wildcard match to target multiple indices. You'll likely see indices such as:

  • wazuh-*
  • security-auditlog-*
  • owlh-*
  • filebeat-*

It's up to you to decide which indices to trim, but I'll give you an example by looking at policy in the next section.





Creating the Index Management Policy

When you create an Index Management Policy, the policy will only apply to indices created after the policy was made. I will show you how to apply your policy to older indices as well.

Log into Wazuh Dashboards (aka Kibana), and click the hamburger menu in the top left. Then, scroll down to OpenSearch Plugins and click Index Management.

Click the Create Policy button. Click JSON Editor. Fill in your Policy ID with a name such as index-state-policy . This is my home lab environment, so I am deleting after 30 days. Adjust yours accordingly.

{
    "policy": {
        "description": "Wazuh index state management for OpenDistro to move indices into a cold state after 15 days and delete them after 30 days.",
        "default_state": "hot",
        "states": [
            {
                "name": "hot",
                "actions": [
                    {
                        "replica_count": {
                            "number_of_replicas": 1
                        }
                    }
                ],
                "transitions": [
                    {
                        "state_name": "cold",
                        "conditions": {
                            "min_index_age": "15d"
                        }
                    }
                ]
            },
            {
                "name": "cold",
                "actions": [
                    {
                        "read_only": {}
                    }
                ],
                "transitions": [
                    {
                        "state_name": "delete",
                        "conditions": {
                            "min_index_age": "30d"
                        }
                    }
                ]
            },
            {
                "name": "delete",
                "actions": [
                    {
                        "delete": {}
                    }
                ],
                "transitions": []
            }
        ],
        "ism_template": [
            {
                "index_patterns": [
                    "wazuh*",
                    "owlh*",
                    "security-auditlog-*",
                    "filebeat-*"
                ],
                "priority": 100
            }
        ]
    }
}





Inspecting the JSON

If you are not familiar with reading JavaScript Object Notation (JSON), then this document could be a bit intimidating for you. Let's break it down:

  • Policy
    • Description
    • Default State
    • States
      • hot
        • actions
          • set number of replicas to 1
        • transitions
          • after an index is 15 days old transition to cold state
      • cold
        • actions
          • set indices to read-only
        • transitions
          • after an index is 30 days old, transition to delete state
      • delete
        • actions
          • delete the index
        • transitions
          • None
    • Index State Management Templates
      • index patterns
        • wazuh*
        • owlh*
        • security-auditlog-*
        • filebeat-*
      • priority of these patterns: 100





Applying the Policy to Existing Indices

Any time a new index is created in Wazuh Indexer, the policy will automatically apply. As mentioned before, your new Index Management Policy is not retroactive. So, you will have to use the API to apply the policy to your existing indices. Fortunately, this is a very simple task.

Log into Wazuh Dashboards, click the hamburger menu and choose Dev Tools.

In my policy above, I am managing all indices that match the pattern:

  • wazuh*
  • owlh*
  • security-auditlog-*
  • filebeat-*

Knowing this, we'll need to make four separate API calls. One for each pattern.

POST _opendistro/_ism/add/wazuh-*
{
  "policy_id": "index-state-policy"
}
Press the play button in the top right to execute the API call
POST _opendistro/_ism/add/owlh-*
{
  "policy_id": "index-state-policy"
}
Press the play button in the top right to execute the API call
POST _opendistro/_ism/add/security-auditlog-*
{
  "policy_id": "index-state-policy"
}
Press the play button in the top right to execute the API call
POST _opendistro/_ism/add/filebeat-*
{
  "policy_id": "index-state-policy"
}





Making Changes to the Policy

If you ever decide to update your policy, you must remember that policy changes are not retroactive. You will have to follow the same API procedure before to add your updated policy to existing indices.

POST _opendistro/_ism/change_policy/wazuh-*
{
  "policy_id": "index-state-policy"
}

Note that we're hitting the change_policy endpoint here

POST _opendistro/_ism/change_policy/owlh-*
{
  "policy_id": "index-state-policy"
}

POST _opendistro/_ism/change_policy/security-auditlog-*
{
  "policy_id": "index-state-policy"
}

POST _opendistro/_ism/change_policy/filebeat-*
{
  "policy_id": "index-state-policy"
}





Wrapping Up

That's all there is to index management with Wazuh Dashboards. Adding an index management policy will greatly reduce your troubleshooting woes in the future and keep you from being caught off-guard by a SIEM that becomes unresponsive due to disk space issues.

More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.