Wazuh + osquery integration

[Atul Chadha]

We are trying to add osquery into wazuh and have followed the steps as mentioned in the below URL

https://documentation.wazuh.com/current/user-manual/capabilities/osquery.html

We have enabled the wodle on the agent however we are not seeing any logs in the Elasticsearch, could someone explain how the below rule in the ruleset works?

How its able to determine the "location" part, do we need to add the log as a localfile source like /var/log/secure or /var/log/messages ?

<rule id="24000" level="0">

    <location>osquery$</location>
    <description>osquery message</description>
 </rule>

[Juan Carlos Tello]

Hi Atul,

Depending on your configuration the osquery configuration will monitor different aspects of the monitored system. If everything is configured as shown in the example of the configuration guide you've shared then you may get events whenever load charge is seen to be over 70% or free RAM is under 10%, please note that these checks are done periodically every 15 and 30 minutes respectively.

Rule 24000 is a parent rule to all osquery events, and it is looking for an event whose location is stated to end with the osquery string. Note that this is a level 0 rule which by itself will not be logged, but several rules have it as an if_sid matching mechanism, so if this rule is triggered then the rest of the osquery rules will be considered. The default rules can be found here: https://github.com/wazuh/wazuh/blob/v4.4.1/ruleset/rules/0545-osquery_rules.xml

If you're not seeing events I recommend that you share with us your Wazuh configuration (either the agent or the manager's ossec.conf or agent.conf) as well as the operational log /var/ossec/logs/ossec.log and the specific osquery configuration that you have used. We'll be more than happy to help you answer any additional questions you may have.

Best regards,

Juan C. Tello

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f6313be7-60b3-4725-9b83-314a2f83ed64n%40googlegroups.com.

[Atul Chadha]

Thank you for the reply, correct me if i am understanding it wrong

Once the osquery wodle is enable in agent and rules set for gathering osquery , the manager is able to pickup those without adding "localfile" for osquery. I will check the rule config against https://github.com/wazuh/wazuh/blob/v4.4.1/ruleset/rules/0545-osquery_rules.xml and get back to you by tomorrow morning

[Atul Chadha]

Thank you, we were able to get data after using rule suggested above. 

You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/0_l805iNWTM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/01257558-caa6-4b4c-97c9-855240b50c46n%40googlegroups.com.

[Juan Carlos Tello]

Great, thanks for the update!

Don't hesitate to open a new thread if there's any other question we can help you with.

Best regards,

Juan C. Tello

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAGRFAmSnhWRK-Z_xz6ZcFrW%3DSC%3DeEH4VmuSc24mko%2BtD7htS3g%40mail.gmail.com.