Collect and Visualize Alert from Snort to Wazuh
3,598 views
Skip to first unread message
Khoa Phạm Anh
Jun 7, 2018, 3:54:13 AM6/7/18
to Wazuh mailing list
Hi all,
I have deployed Snort and now i want Wazuh to collect logs, alert and visualize them for warning and incident response. Do we have any tutorial or document about this. I'm looking forward to recieving all your helps
Thanks
rafael...@wazuh.com
Jun 7, 2018, 4:07:06 AM6/7/18
to Wazuh mailing list
Hi Khoa,
yes you can collect snort logs with Wazuh, you can find the documentation here: https://documentation.wazuh.com/3.x/user-manual/reference/ossec-conf/localfile.html#log-format
Here I give you an example for this:
Open your ossec.conf /var/ossec/etc/ossec.conf and add this entry:
<localfile>
<log_format>snort-full</log_format>
<location>YOUR_SNORT_LOG_PATH</location>
</localfile>Restart your client and it will start reading the log.
Best regards.
Jose Antonio Izquierdo
Jun 7, 2018, 4:09:21 AM6/7/18
to Khoa Phạm Anh, Wazuh mailing list, Jose Antonio Izquierdo
Hello, Mr Khoa,
This is Jose Antonio Izquierdo. Our friend project OwlH.net that I lead can help you with this. We do integration with Suricata and Bro, so will be great helping you integrate Snort.
You can check the way we do with Suricata at http://documentation.owlh.net/en/latest/main/OwlHWazuh.html
Please let me know if this helps.
OwlH details
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/240f9725-be21-42c3-82cc-5c51ea2aa463%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Khoa Phạm Anh
Jun 7, 2018, 4:41:38 AM6/7/18
to Wazuh mailing list
Thank You, It worked :D
Vào 15:07:06 UTC+7 Thứ Năm, ngày 07 tháng 6 năm 2018, rafael...@wazuh.com đã viết:
rafael...@wazuh.com
Jun 7, 2018, 5:29:17 AM6/7/18
to Wazuh mailing list
Hi Khoa,
I'm glad it worked for you!.
Best regards.
On Thursday, June 7, 2018 at 9:54:13 AM UTC+2, Khoa Phạm Anh wrote:
Khoa Phạm Anh
Jun 7, 2018, 9:26:00 PM6/7/18
to Wazuh mailing list
Hi Rafael,
When I restart the Ossec-control it throws:
Invalid value for element 'log_format'L snort
Configuring error ... ossec.conf
Please help me
Vào 16:29:17 UTC+7 Thứ Năm, ngày 07 tháng 6 năm 2018, rafael...@wazuh.com đã viết:
When I restart the Ossec-control it throws:
Invalid value for element 'log_format'L snort
Configuring error ... ossec.conf
Please help me
Vào 16:29:17 UTC+7 Thứ Năm, ngày 07 tháng 6 năm 2018, rafael...@wazuh.com đã viết:
rafael...@wazuh.com
Jun 8, 2018, 4:46:16 AM6/8/18
to Wazuh mailing list
Hi Khoa,
you are getting an invalid value error that means that the <log_format> value is wrong:
For snort you have two possible values: snort-full and snort-fast as you can see here https://documentation.wazuh.com/3.x/user-manual/reference/ossec-conf/localfile.html#log-format
In your ossec.conf you have:
<log_format>snort</log_format>That's why you are getting the error. Change snort with snort-full or snort-fast.
<log_format>snort-full</log_format>
OR<log_format>snort-fast</log_format>
Best regards.
On Thursday, June 7, 2018 at 9:54:13 AM UTC+2, Khoa Phạm Anh wrote:
Khoa Phạm Anh
Jun 8, 2018, 5:22:14 AM6/8/18
to Wazuh mailing list
Yeah, i have re-configured but the wazuh still can not collect Alert Log. I've just recieved the syslog and audit log :D. i'm stuck for this those 2 days!!!
Vào 15:46:16 UTC+7 Thứ Sáu, ngày 08 tháng 6 năm 2018, rafael...@wazuh.com đã viết:
Vào 15:46:16 UTC+7 Thứ Sáu, ngày 08 tháng 6 năm 2018, rafael...@wazuh.com đã viết:
rafael...@wazuh.com
Jun 8, 2018, 6:01:56 AM6/8/18
to Wazuh mailing list
Hi Khoa,
lets see if you get the information from the snort log:
1 - Activate <logall>yes</logall> in you manager ossec.conf:
<logall>yes</logall>This options allows you to see all the incoming data to the manager.
2 - Restart your manager.
#/var/ossec/bin/ossec-control restart
3 - Visualize incoming data /var/ossec/logs/archives/archives.log
#tail -f /var/ossec/logs/archives/archives.logPost here the incoming data that you get from snort.
Best regards.
On Thursday, June 7, 2018 at 9:54:13 AM UTC+2, Khoa Phạm Anh wrote:
Khoa Phạm Anh
Jun 11, 2018, 12:09:43 AM6/11/18
to Wazuh mailing list
Hi, Rafael
First I wanna say thanks for your help.
I have enabled <logall>option and read the archives.log but i have not seen any Snort logs alert collected :(
Vào 17:01:56 UTC+7 Thứ Sáu, ngày 08 tháng 6 năm 2018, rafael...@wazuh.com đã viết:
First I wanna say thanks for your help.
I have enabled <logall>option and read the archives.log but i have not seen any Snort logs alert collected :(
Vào 17:01:56 UTC+7 Thứ Sáu, ngày 08 tháng 6 năm 2018, rafael...@wazuh.com đã viết:
Khoa Phạm Anh
Jun 11, 2018, 2:30:27 AM6/11/18
to Wazuh mailing list
This is my ossec.conf in Snort agent
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/28711884-f31c-44f3-8489-d137e220182b%40googlegroups.com.
Khoa Phạm Anh
Jun 11, 2018, 2:31:51 AM6/11/18
to Wazuh mailing list
This is my folder /var/log/snort and the alert file
Khoa Phạm Anh
Jun 11, 2018, 2:35:13 AM6/11/18
to Wazuh mailing list
Reply all
Reply to author
Forward
0 new messages