How to so-wazuh-stop and keep it from restarting

[mmasino-matc]

I figured out that this error goes away if I shut down Wazuh and re-index (there is no longer a type conflict).
The only issue now is how in salt do I set this to prevent it from automatically restarting in a few minutes.
It looks like the containers are defined in /opt/so/saltstack/default/pillar/docker/config.sls but I am guessing
there is a correct way to do this by editing a file in the /opt/so/saltstack/local/pillar/docker/ directory.

========================================================================================
I have tried using evtx2es:
/usr/local/bin/evtx2es <logname>.evtx --index so-windows_eventlog

which does import it but breaks.
It causes a Field type conflict with the "event.code" field.

The field is "text" in the securityonion:so-ossec-2021.##.## file
The field is "long" in the securityonion:so-windows_eventlog index created by evtx2es.

Will forwarding these logs directly from Winlogbeat help of is this an Elasticsearch mapping issue?

[innovate-support]

Are you asking how to completely disable Wazuh?
I follow the basic steps below to disable Steno, but it should work for Wazuh also. I didn't test it myself since I don't wanna screw up my currently working Wazuh setup.

Edit /opt/so/saltstack/local/pillar/global.sls and add
wazuh: enabled: False

Minion.sls files are located on the Manager in /opt/so/saltstack/local/pillar/minions/XXX_sensor.sls
I'm not sure if it's needed in those files also, but it shouldn't hurt just to be sure.

The Salt system is supposed to refresh automatically every 15 minutes, but I've found that it doesn't disable things like it's supposed to, so you can manually refresh salt with this command.
sudo salt *_* state.highstate
or
sudo salt \* state.highstate

To see status of all the nodes in your Grid
sudo salt \* so.status
so-wazuh should show DISABLED

[mmasino-matc]

Tried it. It still starts :(

[0nnyx]

Had the same problem despite disabling it in global and minions sls. Each restart attempt was causing cpu spikes so I left wazuh enabled and removed the agents which doesn't consume any cpu and not much ram

[m0duspwnens]

To disable Wazuh, you will need to edit /opt/so/saltstack/local/pillar/global.sls. Under global:in the file, change wazuh: 1 to wazuh: 0. Save and quit the file.

With that change, all we did was tell Salt to not run the Wazuh state which will prevent the container from starting. Now, all that needs to be done is docker stop so-wazuh on all your nodes to stop Wazuh and comment out (or remove) so-wazuh from /opt/so/conf/so-status/so-status.conf. If it is commented out, so-status will show so-wazuh as disabled. If you remove it, it won't show at all in so-status.

[mmasino-matc]

That worked perfect. I figured out changing wazuh: 1 to wazuh: 0 but was getting an error when running so-status. Editing so-status.conf got it all working perfect.

Thanks