Skip to content

Commit

Permalink
Update file.md (#672)
Browse files Browse the repository at this point in the history
  • Loading branch information
@LaurenceJJones
LaurenceJJones authored Dec 26, 2024
1 parent 194e6c2 commit 8c18054
Showing 1 changed file with 14 additions and 0 deletions.
14 changes: 14 additions & 0 deletions crowdsec-docs/docs/local_api/notification_plugins/file.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,10 @@ Some SIEM agents may not support some top level keys we define in the default nd

### SIEM Integration

:::warning
Please note if you change the format that is printed to the file you must also configure the collector on the SIEM side to also expect the same format
:::

#### Filebeat

Filebeat has a set of reserved top level keys and should not be used in the ndjson format. The following format can be used to be compatible with Filebeat:
Expand All @@ -61,6 +65,16 @@ format: |
{ "time": "{{.StopAt}}", "source": "crowdsec", "alert": {{. | toJson }} }
{{ end -}}
```
#### Wazuh

Wazuh has set of reserved top level keys and may cause logs not to be sent by the agent. The following format can be used to be compatible with Wazuh:

```yaml
format: |
{{range . -}}
{ "crowdsec": { "time": "", "program": "crowdsec", "alert": {{. | toJson }} }}
{{ end -}}
```

## Testing the plugin

Expand Down

0 comments on commit 8c18054

Please sign in to comment.