McAfee and Symantec Alerts - Help
66 views
Skip to first unread message
rahul b
Feb 23, 2022, 4:20:27 AM2/23/22
to Wazuh mailing list
Hi Team,
McAfee and Symantec Alerts are not getting in the Wazuh via windows channel.
I am using the default McAfee and Symantec rulesets.
I'm requesting help to resolve the issue.
Thanks
Rahul
Jesus Linares
Feb 23, 2022, 5:59:24 AM2/23/22
to Wazuh mailing list
Hi Rahul,
In these cases, we should review the full data flow:
1. The agent collects the event
1. The agent collects the event
2. The manager receives the event
3. The event is matched with a rule and generate an alert
4. Filebeat read the alert and send it to Elastic
5. Elastic indexes the alert
6. Kibana shows the alert
Usually, the error is in point 1 or 3:
5. Elastic indexes the alert
6. Kibana shows the alert
Usually, the error is in point 1 or 3:
- Check if the agent has the proper configuration (by reviewing the ossec.log) and check if you have events in the Windows Event viewer for the McAfee and Symantec channels.
- At the manager side, you can enable logall in order to see all the events that the manager receives (even if they don't trigger an alert). In this way, you will know if the agent is not collecting the events, or the manager is missing something in the ruleset (decoders/rules).
Please, let me know if you have questions.
Please, let me know if you have questions.
rahul b
Feb 24, 2022, 1:29:01 AM2/24/22
to Wazuh mailing list
Hi Jesus,
McAfee Alert issue has been resolved after adding the Application eventchannel in client ossec.conf.
Thanks for your support.
Thanks
Rahul
Reply all
Reply to author
Forward
0 new messages