How to verify logs coming from GCP pub-sub and also see alerts of it on wazuh dashboard
257 views
Skip to first unread message
Rishit Sheth
Oct 17, 2022, 1:57:10 PM10/17/22
to Wazuh mailing list
Hi,
I'm new to wazuh and I have all in one wazuh setup. I have correctly added gcp pub-sub template into the ossec.conf file and also have correctly setup sink, gcp pub-sub on the GCP side. How can I verify that the logs are coming from GCP pub-sub to wazuh correctly and also how can I see alerts of it on wazuh dashboard?
Christian Borla
Oct 17, 2022, 4:10:10 PM10/17/22
to Wazuh mailing list
Hi.
I hope you are doing fine!
Wazuh can use the Google Cloud Pub/Sub messaging and ingestion service. GCP suported services by Wazuh are showed on this link, you can check if any of supported services alerts were fired on dashboard, otherwise, it's possible look for them on Wazuh manager side.
If collected events are supported by Wazuh and the configuration is correct, events should be processed by decoders and rules and generates alerts, so look for them on /var/ossec/logs/alerts/alerts.json file. If you find GCP events as alerts, that means configuration is OK, but there is a problem between Wazuh Manager - filebeat - Wazuh Indexer. Otherwise if you don't find any GCP log on alerts.json file, look for then on /var/ossec/logs/archives/archives.json file.
To enable archive.json file edit /var/ossec/etc/ossec.conf in manager side, add <logall_json>yes</logall_json>
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
Then restar Wazuh manager. If you find any GCP log on archives.json file, but they are not on alert.json file, that means that kind of GCP logs are not supported, if you want trigger an alert from them, it's possible creates custom decoders and custom rules.
Let me know if this information is useful.
Regards.
I hope you are doing fine!
Wazuh can use the Google Cloud Pub/Sub messaging and ingestion service. GCP suported services by Wazuh are showed on this link, you can check if any of supported services alerts were fired on dashboard, otherwise, it's possible look for them on Wazuh manager side.
If collected events are supported by Wazuh and the configuration is correct, events should be processed by decoders and rules and generates alerts, so look for them on /var/ossec/logs/alerts/alerts.json file. If you find GCP events as alerts, that means configuration is OK, but there is a problem between Wazuh Manager - filebeat - Wazuh Indexer. Otherwise if you don't find any GCP log on alerts.json file, look for then on /var/ossec/logs/archives/archives.json file.
To enable archive.json file edit /var/ossec/etc/ossec.conf in manager side, add <logall_json>yes</logall_json>
<ossec_config>
<global>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
Then restar Wazuh manager. If you find any GCP log on archives.json file, but they are not on alert.json file, that means that kind of GCP logs are not supported, if you want trigger an alert from them, it's possible creates custom decoders and custom rules.
Let me know if this information is useful.
Regards.
Rishit Sheth
Oct 17, 2022, 5:07:59 PM10/17/22
to Christian Borla, Wazuh mailing list
Hi Christian,
Thanks for the prompt response. I am able to see alerts under /var/ossec/logs/alerts/alerts.json location. I also enabled archive.json earlier. When I check the alerts.json file, I see lots of alerts and most of them are related to audit, HTTPS load balancing or GCP infra resources like k8s etc. Does that mean my configuration is correct? When I go to the security event dashboard and try to apply filter "data.gcp.logname" and then choose target from the menu. I don't see any events over there. Is it normal? I am a little confused here as I am new to wazuh.
Regards,
Rishit ShethDevOps Engineer
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/MRYEYn5_uc0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/eaf8d9c2-cbc4-4231-ac2c-e81dee3446een%40googlegroups.com.
Christian Borla
Oct 17, 2022, 5:31:21 PM10/17/22
to Wazuh mailing list
Hi Rishit Sheth.
Good to know that alerts are generated, that means events logs were collected, manager receive them (archive.json) and processed them correctly (alerts.json), Did you try filter only by data.gcp events?
Also could you check filebeat, elastic and kibana services?
Please check the services status by running following commands:
systemctl status kibana
systemctl status filebeat
systemctl status elasticsearch
Let me know if you find any error.
Regards.
Good to know that alerts are generated, that means events logs were collected, manager receive them (archive.json) and processed them correctly (alerts.json), Did you try filter only by data.gcp events?
Also could you check filebeat, elastic and kibana services?
Please check the services status by running following commands:
systemctl status kibana
systemctl status filebeat
systemctl status elasticsearch
Let me know if you find any error.
Regards.
Reply all
Reply to author
Forward
0 new messages