wazuh-template.json reset on container restart prevents customisation of indices and datatypes

[matt-j-griffin]

Since the fix to #1966, the wazuh-template.json file is being reset every time the Wazuh container is started. This behaviour makes it impossible to persist custom modifications.

According to the Wazuh documentation on indexer indices and datatypes, these templates should be customisable to allow the addition of new indices and datatypes. At present, however, any edits to /etc/filebeat/wazuh-template.json are overwritten on restart, which contradicts that expectation.

I’ve been able to bypass this by mounting my custom template separately and pointing Filebeat to it via filebeat.yml:

setup.template.json.path: "/etc/filebeat/custom-template.json

Could Wazuh provide an officially supported way to customise or persist changes to wazuh-template.json (e.g. document the intended mechanism)?

[vcerenu]

Hello @matt-j-griffin

This works as expected, as the file must be updated with any deployment or update, regardless of whether the directory containing the file is mounted in a volume to maintain its persistence or not.

Regarding file customizations, we don't have any implementation for that, but the solution you've developed is fine for what you need. Our repository is a foundation on which all users can work and customize their images and deployments to their needs. As for these changes, you can make them however you see fit, and you can even implement a procedure for modifying them, which you can share with other users, like many implementations currently available in the repository.