Fluent Bit

Installation and configuration guide for Fluent Bit

Definition

Fluent Bit is a lightweight and high-performance log processor and forwarder. It is commonly used in logging pipelines to collect logs from files or services and ship them to central log storage or analytics platforms. In our case, Fluent Bit reads alerts from Wazuh (alerts.json) and sends them to Graylog for enrichment and further analysis.

Traffic Flow

The typical flow works as follows:

  • Wazuh Manager writes alerts to /var/ossec/logs/alerts/alerts.json
  • Fluent Bit tails this file, parses the JSON, and forwards the data to Graylog

Installation

curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh

Configuration

Here's a basic Fluent Bit configuration:

[SERVICE]
    flush        5
    daemon       Off
    log_level    info
    parsers_file parsers.conf
    plugins_file plugins.conf
    http_server  Off
    http_listen  0.0.0.0
    http_port    2020
    storage.metrics on
    storage.path /var/log/flb-storage/
    storage.sync normal
    storage.checksum off
    storage.backlog.mem_limit 5M
    Log_File /var/log/td-agent-bit.log

[INPUT]
    name  tail
    path  /var/ossec/logs/alerts/alerts.json
    tag wazuh
    parser  json
    Buffer_Max_Size 5MB
    Buffer_Chunk_Size 400k
    storage.type      filesystem
    Mem_Buf_Limit     512MB

[OUTPUT]
    Name  tcp
    Host  *your graylog host*
    Port  *your graylog port*
    net.keepalive off
    Match wazuh
    Format  json_lines
    json_date_key true

Optional: Add TLS Encryption

To enable TLS encryption and trust a certificate authority (CA), you need to add the following under the [OUTPUT] section:

    tls               On
    tls.verify        On
    tls.ca_file       /etc/fluent-bit/certs/ca.crt

Make sure to replace /etc/fluent-bit/certs/ca.crt with the path to your actual CA certificate.

Enable and Start Fluent Bit

systemctl enable fluent-bit
systemctl start fluent-bit