Logstash parsing data from and to OpenSearch Wazuh Indexes

Data Prepper
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

  • Use the latest and latest -1 of logstash 9.0.1
  • Use OpenSearch 2.13
  • Wazuh 4.x
  • Ubuntu

Describe the issue:
I intend to use Logstash to read events and alerts from Wazuh’s OpenSearch index and forward the parsed data to another OpenSearch database.

However, I haven’t been able to get it working and I’m unsure which steps I might have missed. I would appreciate it if you could share any guidance or insights how to write codes to parse data from and to different OpenSearch database. Thank you!

Configuration:

Code #1

input {
opensearch {
hosts => [“http://opensearch-host:9200”]
user => “username”
password => “password”
index => “wazuh-"
ssl_enabled => false
schedule => "/5 * * * *”
docinfo => true
docinfo_target => “[@metadata][opensearch]”
size => 1000
}
}

filter {

No filters as this time

}

output {
stdout {
codec => rubydebug
}

Codes #2

input {
opensearch {
hosts => [“https://your-opensearch-node:9200”]
index => “wazuh-alerts-"
user => “your_username”
password => “your_password”
ssl => true
query => ’
{
“query”: {
“bool”: {
“must”: [
{
“range”: {
@timestamp”: {
“gte”: “now-1h”,
“lte”: “now”,
“format”: “strict_date_optional_time”
}
}
},
{
“match”: {
“rule.level”: {
“query”: 10,
“boost”: 1.0
}
}
}
]
}
},
“sort”: [
{
@timestamp”: {
“order”: “asc”
}
}
]
}’
schedule => " * * * *”
size => 1000
scroll => “5m”
docinfo => true
}
}

Relevant Logs or Screenshots:

[2025-05-28T01:58:19,838][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>“LogStash::ConfigurationError”, :message=>“Expected one of [ \t\r\n], "#", "input", "filter", "output" at line 6, column 1 (byte 132) after “, :backtrace=>[”/home/onizuwo/logstash-9.0.1/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative’”, “org/logstash/execution/AbstractPipelineExt.java:294:in `initialize’”, “org/logstash/execution/AbstractPipelineExt.java:227:in `initialize’”, “/home/onizuwo/logstash-9.0.1/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize’”, “org/jruby/RubyClass.java:949:in `new’”, “/home/onizuwo/logstash-9.0.1/logstash-core/lib/logstash/pipeline_action/create.rb:50:in `execute’”, “/home/onizuwo/logstash-9.0.1/logstash-core/lib/logstash/agent.rb:420:in `block in converge_state’”]}

2

Hi @lsoon3 Please check my answer in the other thread.