Kibana HIDS is not showing and Errors
59 views
Skip to first unread message
Tim Bentley
Mar 2, 2019, 4:16:13 AM3/2/19
to security-onion
I have Wazuh configured on 3 machines and get log messages but I do not see any events on Kibana.
What configuration could I have missed?
What configuration could I have missed?
Doug Burks
Mar 2, 2019, 6:34:46 AM3/2/19
to securit...@googlegroups.com
Hi Tim,
Please run the following command:
sudo sostat-redacted
There will be a lot of output, so you may need to increase your terminal’s scroll buffer OR redirect the output of the command to a file:
sudo sostat-redacted > sostat-redacted.txt 2>&1
sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses, but there may be additional sensitive info that you still need to redact manually.
Attach the output to your email in plain text format (.txt) OR use a service like http://pastebin.com.
sudo sostat-redacted
There will be a lot of output, so you may need to increase your terminal’s scroll buffer OR redirect the output of the command to a file:
sudo sostat-redacted > sostat-redacted.txt 2>&1
sostat-redacted will automatically redact any IPv4/IPv6/MAC addresses, but there may be additional sensitive info that you still need to redact manually.
Attach the output to your email in plain text format (.txt) OR use a service like http://pastebin.com.
On Sat, Mar 2, 2019 at 4:16 AM Tim Bentley <tim.b...@gmail.com> wrote:
I have Wazuh configured on 3 machines and get log messages but I do not see any events on Kibana.
What configuration could I have missed?
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Doug Burks
CEO
Security Onion Solutions, LLC
CEO
Security Onion Solutions, LLC
Doug Burks
Mar 2, 2019, 7:41:03 AM3/2/19
to securit...@googlegroups.com
Based on your sostat output, it looks like Elasticsearch, Logtash, and Kibana are healthy and processing data correctly.
Are you not seeing any events in Kibana at all, or are you just not seeing events from your Wazuh agents?
When you added the Wazuh agents, did you follow the instructions at https://securityonion.readthedocs.io/en/latest/Wazuh.html#adding-agents including allowing the traffic through the firewall with so-allow?
Tim Bentley
Mar 2, 2019, 7:51:59 AM3/2/19
to security-onion
On Saturday, 2 March 2019 09:16:13 UTC, Tim Bentley wrote:
> I have Wazuh configured on 3 machines and get log messages but I do not see any events on Kibana.
> What configuration could I have missed?
> What configuration could I have missed?
I get the alert emails from the server via Wazuh but I am not seeing any events in on the Kibana dashboard.
I am looking at using Elastalert for reporting but I am not seeing broken down Wazuh events. I have some ossec_archive events but all the information is in a json field called message which does not seem right.
Doug Burks
Mar 2, 2019, 7:58:34 AM3/2/19
to securit...@googlegroups.com
Which Kibana dashboard are you looking at?
HIDS (under Alert Data)
OR
OSSEC (under Host Hunting)
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Tim Bentley
Mar 2, 2019, 8:47:18 AM3/2/19
to security-onion
On Saturday, 2 March 2019 09:16:13 UTC, Tim Bentley wrote:
> I have Wazuh configured on 3 machines and get log messages but I do not see any events on Kibana.
> What configuration could I have missed?
> What configuration could I have missed?
HIDS under Alert Data as I assume that will have a good breakdown.
OSSEC under Host Hunting has all the data in JSON which makes it difficult to test for.
Is this linked to
https://github.com/Security-Onion-Solutions/security-onion/issues/1469
Doug Burks
Mar 2, 2019, 9:30:31 AM3/2/19
to securit...@googlegroups.com
You may be experiencing Issue 1469 if you're using version 3.8.x of the Wazuh agent and you're looking at eventchannel logs. Looks like they do default to eventchannel format for at least the Security log now.
Here are a couple of options you might try until we're able to release a fix for 1469:
- in the agent configuration, change eventchannel to eventlog for Security log and other logs that support eventlog
OR
- revert back to Wazuh agent 3.7
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Tim Bentley
Mar 2, 2019, 9:36:54 AM3/2/19
to security-onion
On Saturday, 2 March 2019 09:16:13 UTC, Tim Bentley wrote:
> I have Wazuh configured on 3 machines and get log messages but I do not see any events on Kibana.
> What configuration could I have missed?
> What configuration could I have missed?
Will wait for the update to come.
It is not mission critical and I may mess something else up!
Thanks for the help.
Reply all
Reply to author
Forward
0 new messages