Need to configure the alerts

237 views
Skip to first unread message

SaiRajan Puratchivel

unread,
Sep 29, 2022, 6:52:21 AM9/29/22
to Wazuh mailing list
Hello,

We are planning to deploy the Wazuh in our production, before that I need to understand in detail on the alerting.

Especially on the windows user logon failure, system shutdown alert.

Thanks,
Sai

Anthony Faruna

unread,
Sep 29, 2022, 8:23:16 AM9/29/22
to SaiRajan Puratchivel, Wazuh mailing list
Hello SaiRajan

Thank you for using Wazuh 

Please can you help me understand the context of  the information you need 

To understand how alerts are generated, each event collected by the Wazuh agent is transmitted to the Wazuh Manager. The Manager will assign the event a severity level depending on which rules it matches from the ruleset. By default, it will only log alerts with a severity level of 3 or higher. You can get more clarification at https://documentation.wazuh.com/current/user-manual/manager/alert-threshold.html

This documentation  describes an example of failed login attempts and the subsequent alerts generated on Wazuh dashboard.

Please let me know if you have additional questions

Best Regards

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bf581314-7560-4b50-bfe7-d369996fc966n%40googlegroups.com.

SaiRajan Puratchivel

unread,
Sep 29, 2022, 9:08:17 AM9/29/22
to Wazuh mailing list
Hi Anthony,

As we are exploring the product we need to configure the below things,

Lets say I have 2 Physical servers namely Prod server and File server. Where I have to monitor the Bad attempts, down and up notify. Also I have to monitor the file modification ( Create, delete, Modify).

I have already configured the PostFix in my environment which is working fine.  So using this I have to configure the email notification as well for all the above mentioned alerts.

Thanks,
Sai

Anthony Faruna

unread,
Sep 29, 2022, 10:05:00 AM9/29/22
to SaiRajan Puratchivel, Wazuh mailing list
Hello SaiRajan

Thank you for the clarification

By default, Wazuh monitors for bad attempts and you will be notified on the dashboard as I shared previously at this link 

Also it is possible to monitor file changes by specifying the directories to be monitored however Wazuh monitor some directories by default 

This documentation   captures how Wazuh File Integrity Module operates based on the use cases you might have in your environment 

To view and configure the FIM module to your needs, the configuration is within the ossec.conf file of the agent within the syscheck block as shown below;

<!-- File integrity monitoring -->
  <syscheck>

    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <!-- Default files to be monitored. -->
    <directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
     --
     --
     --
   <sycheck>

To monitor a specific path/directory on any of the server, say the download folder;

Edit the Wazuh agent configuration file  C:\Program Files (x86)\ossec-agent\ossec.conf  and add the folder to be monitored. 

This should be within the <syscheck> block.  The configuration should look like this:

<directories check_all="yes" whodata="yes">C:\Users\administrator\Downloads</directories>

Restart the agent after applying the configuration

These will generate alerts once a file is created, modified or deleted in this directory.

Please let me know if you need further assistance 

Best Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e40e8a6d-c037-47b1-839e-23c1fa85f60cn%40googlegroups.com.

SaiRajan Puratchivel

unread,
Sep 30, 2022, 4:53:16 AM9/30/22
to Wazuh mailing list
Hi Anthony,

Thanks for your information I have tried to open the security events for the node, but it is not populating any.

Even in the dashboard I am not able to see anything.  

Thanks,
Sai
Screenshot 2022-09-30 at 14.20.53.png
Screenshot 2022-09-30 at 14.22.28.png
Screenshot 2022-09-30 at 14.21.05.png

Anthony Faruna

unread,
Sep 30, 2022, 6:53:33 AM9/30/22
to SaiRajan Puratchivel, Wazuh mailing list
Hello SaiRajan

There is a possibility that alerts are not been generated 

Please check the logs to see if alerts are generated with this command: tail -n5 /var/ossec/logs/alerts/alerts.json and share the output with me

Best Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/73a22591-e5af-4e77-9cfa-08929997f160n%40googlegroups.com.

SaiRajan Puratchivel

unread,
Oct 3, 2022, 1:45:26 AM10/3/22
to Wazuh mailing list
Hi Anthony,

Please find the attached logs. 

Thanks,
Sai
Screenshot 2022-10-03 at 10.56.53.png

SaiRajan Puratchivel

unread,
Oct 7, 2022, 1:42:24 AM10/7/22
to Wazuh mailing list
Hi Anthony,

Can you please look into this.

Thanks,
Sai

Anthony Faruna

unread,
Oct 7, 2022, 4:53:38 AM10/7/22
to SaiRajan Puratchivel, Wazuh mailing list
Hello SaiRajan

My sincere apologies as I missed this mail

The screenshot you shared shows that the time of the agent and the manager are different

Please confirm the time zone of both the agent and the manager.

Then login to the dashboard and confirm if the events are reporting 

Best Regards



To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4f3b570b-4828-4c48-8a33-98dace156407n%40googlegroups.com.

SaiRajan Puratchivel

unread,
Oct 7, 2022, 7:14:28 AM10/7/22
to Wazuh mailing list
Hi Anthony,

I have changed the time zone on both server and the agent and restarted both of them.  But still I am not able to see logs in the dashboard.

Thanks,
Sai

Reply all
Reply to author
Forward
0 new messages