Extra single quote in INDEXER_URL in 1-config-filebeat during Docker image build #8730
Description
📌 Request Details
Required Information
- 4.12:
-
Request type
- Fixes or corrections
-
Affected Documentation
- Documentation section(s): Indexer URL section
- Specific page URLs: https://github.com/wazuh/wazuh-docker/blob/main/build-docker-images/wazuh-manager/config/etc/cont-init.d/1-config-filebeat#L13
Description
User is setting the INDEXER_URL in the wazuh manager/worker file to https://wazuh1.indexer:9200/ in a multi-node environment. User has nearly 1 manager, 10 workers and nearly 10 indexer nodes. This INDEXER_URL is taken to the filebeat.yml. So all his 10 workers and 1 manager filebeats are pointing to only one indexer.
But when he changes it to an array, it is getting populated in the filebeat.yml as below:
hosts: [' "https://wazhu1.indexer.9200", "https://wazhu2.indexer.9200", "https://wazhu2.indexer.9200" ‘]
Notice the single quotes just after and before the opening and closing paranthesis. This is causing filebeat to error out because of the wrong format.
if [ "$INDEXER_URL" != "" ]; then
>&2 echo "Customize Elasticsearch output IP"
sed -i "s|hosts:.*|hosts: ['$INDEXER_URL']|g" /etc/filebeat/filebeat.yml
fi
In the referenced GitHub file, it’s important to mention how to define multiple indexer IPs or hostnames correctly—without enclosing each one in single quotes within the configuration. This ensures proper parsing and avoids configuration errors when setting up a multi-node Wazuh indexer cluster.