Enable Suricata and Zeek and Bro into Kibana.

1,082 views

Skip to first unread message

fadi abusafat

unread,

Apr 13, 2020, 11:32:49 AM4/13/20

to Wazuh mailing list

Hi,

I would like to ask about how to Enable logs from Suricata, Zeek and Bro into Kibana. I mean, I should install it on Manager in order to be available or it's already installed ?

Please, could anyone help into this issue, Also, it's possible to add snort.

Thank you so much.

Many Thanks.

Fadi !!!

Chema Martinez

unread,

Apr 21, 2020, 5:51:37 AM4/21/20

to fadi abusafat, Wazuh mailing list

Hi Fadi,

Wazuh is prepared to process logs from all the Network IDS you mentioned. However, they are not included in a default Wazuh installation.

The easiest way to get this work is to forward the logs generated by them to a Wazuh manager, where you can tune the ruleset to process the desired events. Here you can see some examples of default rules to catch Suricata and Zeek logs:

https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0475-suricata_rules.xml

https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0635-owlh-zeek_rules.xml

Two methods can be followed to achieve your goal:

You can use a Wazuh agent (or the manager directly) to monitor the log files from Suricata, Zeek, Bro, and Snort. The Logcollector module is in charge of this task. Here you have a guide to monitor Suricata events by this method:

https://documentation.wazuh.com/3.12/learning-wazuh/suricata.html

In addition, when configuring the Logcollector to read a log file, be aware of the format of that logs according to this table:

https://documentation.wazuh.com/3.12/user-manual/reference/ossec-conf/localfile.html#log-format

As you can see, for SNORT events the format snort-full has to be applied, the same for Suricata events which are in JSON format, so the json option is the proper one.

The other available option is to forward by Syslog the desired events from the NIDS to the Wazuh manager directly. You can configure the Remote daemon of the manager as a Syslog receiver by adding the following configuration to the ossec.conf file:

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>192.168.1.0/24</allowed-ips>
  <local_ip>192.168.1.5</local_ip>
</remote>

Once the events are received in the manager, add the needed rules to catch the events and generate alerts, which are available on the WUI (Wazuh interface over Kibana).

Finally, let me suggest you take a look into OwlH, it is an open-source project aimed to help in the Network IDS management at scale. It can be integrated with Wazuh and help you with the visualization of the NIDS events.

https://www.owlh.net/

Don't hesitate to join their Community channels (https://www.owlh.net/community) if you are interested in knowing more about the project.

I hope this information is useful.

Best regards,

Chema.

Chema Martinez
Product Core engineer

The Open Source Security Platform

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/62d644e9-15f7-4a62-8875-2e52fd99c7d5%40googlegroups.com.

Reply all

Reply to author

Forward

0 new messages