Wazuh Configuration for Security Events and System Audit
2,963 views
Skip to first unread message
Muhammad Kamran
Sep 12, 2023, 1:15:52 AM9/12/23
to Wazuh | Mailing List
I have installed Wazuh-Manager , Wazuh-Index and Wazuh-Dashboard. I manage to open web console of Wazuh-Dashboard. I added Three servers and I want to log them like I want their Security events and System Audits. Please help me to configure it so that I can check it out and show to my management Team. My Wazuh version is 4.5 on RHEL 8.3 and I added three machines 2 are RHEL OS and 1 is Win Server 2018 so please help me to check all 3 agents system audit and security events. As I have ossec.conf file in /var/ossec/etc/ossec.conf file with YML elements please help me in this regards
Md. Nazmur Sakib
Sep 12, 2023, 3:17:41 AM9/12/23
to Wazuh | Mailing List
Hi Muhammad Kamran,
Hope you are doing well. Thank you for using Wazuh.
Once you have installed an agent and it is connected with the manager, you will be able to see all your security events logs inside your Modules > Security Events of Wazuh Dashboard.
For System Audits
Install and enable auditd in your agents.
To check auditd is running and writing records to /var/log/audit/audit.log. You can issue the command:
tail -f /var/log/audit/audit.log
Check if this configuration is present in the /var/ossec/etc/ossec.conf configuration file of agent:
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
Restart the agent after making changes
systemctl restart wazuh-agent
Check this document to learn more about the configurations:
Implement a use case to check your configuration is working. Check this document to get help with it.
Please let me know if this answers your question or if you need any further help.
Regards
Muhammad Kamran
Sep 12, 2023, 8:20:56 AM9/12/23
to Wazuh | Mailing List
Thanks for your reply.
I have installed Wazu-Manager, Index and Dashboard and I configure 3 agents 2 linux machines and 1 window 2018 Server. All the agents are showing but when I go to security events It show "No Data or Result found" I didn't do any thing in configuration file. What to do for it please help me. Second I already tuned on the audit and audit log file is already generated and as per your suggestion I have already add the audit elements on it but in system audit section I found no data or result. Please help me in this regards what to do. I just turn on the sample data which show me the graph and data but This is sample. I want to check original data of my agents so that I can add all my servers into it.
Muhammad Kamran
Sep 12, 2023, 8:22:23 AM9/12/23
to Wazuh | Mailing List
Firewall is disabled and SELinux is also disabled of my main server and agents servers.
Md. Nazmur Sakib
Sep 13, 2023, 1:10:25 AM9/13/23
to Wazuh | Mailing List
Hi Muhammad Kamran,
Sorry for the late response. Can you share some more information so that I can look into it?
Check if there are any logs in alert.log
cat /var/ossec/logs/alerts/alerts.log | grep level
Check status of wazuh-manager
systemctl status wazuh-manager
Check status of wazuh-indexer
systemctl status wazuh-indexer
Check status of wazuh-dashbaord
systemctl status wazuh-dashbaord
Test if filebeat is working properly.
filebeat test output
Share the output of your ossec.log from your Wazuh-manager
tail /var/ossec/logs/ossec.log
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Please share the output of these commands so that I can get help to find the root cause of this issue.
Regards
Muhammad Kamran
Sep 13, 2023, 8:02:52 AM9/13/23
to Wazuh | Mailing List
Thanks a lot for your response and no problem I knew you are very busy.
Here are the status as you asked
[root@sapt-wazhu alerts]# cat /var/ossec/logs/alerts/alerts.log | grep level
Rule: 5901 (level 8) -> 'New group added to the system.'
Rule: 5902 (level 8) -> 'New user added to the system.'
Rule: 5108 (level 12) -> 'System running out of memory. Availability of the system is in risk.'
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T09:44:54.964256900Z","eventRecordID":"2045238","processID":"700","threadID":"7448","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x5FA59401\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t50934\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x5fa59401","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"50934","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T10:08:10.319548500Z","eventRecordID":"2045258","processID":"700","threadID":"752","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x5FBD449B\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t51936\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x5fbd449b","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"51936","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T10:34:37.748453200Z","eventRecordID":"2045278","processID":"700","threadID":"9692","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x5FD8EAEB\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t52987\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x5fd8eaeb","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"52987","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T10:59:00.687934400Z","eventRecordID":"2045292","processID":"700","threadID":"752","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x5FF1860E\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t54021\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x5ff1860e","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"54021","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T11:01:02.760344500Z","eventRecordID":"2045297","processID":"700","threadID":"9788","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x5FF379F8\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t54079\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x5ff379f8","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"54079","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T11:35:55.087884100Z","eventRecordID":"2045317","processID":"700","threadID":"752","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x6018339E\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t55192\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x6018339e","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"55192","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T11:37:56.512330200Z","eventRecordID":"2045321","processID":"700","threadID":"9560","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x601AACE1\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t55267\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x601aace1","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"55267","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
[root@sapt-wazhu alerts]#
Rule: 5901 (level 8) -> 'New group added to the system.'
Rule: 5902 (level 8) -> 'New user added to the system.'
Rule: 5108 (level 12) -> 'System running out of memory. Availability of the system is in risk.'
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T09:44:54.964256900Z","eventRecordID":"2045238","processID":"700","threadID":"7448","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x5FA59401\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t50934\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x5fa59401","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"50934","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T10:08:10.319548500Z","eventRecordID":"2045258","processID":"700","threadID":"752","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x5FBD449B\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t51936\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x5fbd449b","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"51936","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T10:34:37.748453200Z","eventRecordID":"2045278","processID":"700","threadID":"9692","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x5FD8EAEB\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t52987\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x5fd8eaeb","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"52987","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T10:59:00.687934400Z","eventRecordID":"2045292","processID":"700","threadID":"752","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x5FF1860E\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t54021\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x5ff1860e","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"54021","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T11:01:02.760344500Z","eventRecordID":"2045297","processID":"700","threadID":"9788","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x5FF379F8\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t54079\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x5ff379f8","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"54079","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T11:35:55.087884100Z","eventRecordID":"2045317","processID":"700","threadID":"752","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x6018339E\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t55192\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x6018339e","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"55192","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
Rule: 92657 (level 6) -> 'Successful Remote Logon Detected - User:\ANONYMOUS LOGON - NTLM authentication, possible pass-the-hash attack - Possible RDP connection. Verify that SAPT-FIRESDC is allowed to perform RDP connections'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","eventID":"4624","version":"1","level":"0","task":"12544","opcode":"0","keywords":"0x8020000000000000","systemTime":"2023-09-13T11:37:56.512330200Z","eventRecordID":"2045321","processID":"700","threadID":"9560","channel":"Security","computer":"SAPT-HPIRS.SAPT.local","severityValue":"AUDIT_SUCCESS","message":"\"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tIdentification\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-7\r\n\tAccount Name:\t\tANONYMOUS LOGON\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x601AACE1\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\tSAPT-FIRESDC\r\n\tSource Network Address:\t10.10.50.67\r\n\tSource Port:\t\t55267\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tNtLmSsp \r\n\tAuthentication Package:\tNTLM\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\tNTLM V1\r\n\tKey Length:\t\t128\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\""},"eventdata":{"subjectUserSid":"S-1-0-0","subjectLogonId":"0x0","targetUserSid":"S-1-5-7","targetUserName":"ANONYMOUS LOGON","targetDomainName":"NT AUTHORITY","targetLogonId":"0x601aace1","logonType":"3","logonProcessName":"NtLmSsp","authenticationPackageName":"NTLM","workstationName":"SAPT-FIRESDC","logonGuid":"{00000000-0000-0000-0000-000000000000}","lmPackageName":"NTLM V1","keyLength":"128","processId":"0x0","ipAddress":"10.10.50.67","ipPort":"55267","impersonationLevel":"%%1832"}}}
win.system.level: 0
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
[root@sapt-wazhu alerts]#
################################################################################################
[root@sapt-wazhu alerts]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-09-13 16:25:07 PKT; 30min ago
Process: 1163 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 133 (limit: 49020)
Memory: 267.9M
CGroup: /system.slice/wazuh-manager.service
├─2517 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2639 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2642 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2671 /var/ossec/bin/wazuh-authd
├─2681 /var/ossec/bin/wazuh-db
├─2773 /var/ossec/bin/wazuh-execd
├─2788 /var/ossec/bin/wazuh-analysisd
├─2804 /var/ossec/bin/wazuh-syscheckd
├─2818 /var/ossec/bin/wazuh-remoted
├─2856 /var/ossec/bin/wazuh-logcollector
├─2879 /var/ossec/bin/wazuh-monitord
└─2890 /var/ossec/bin/wazuh-modulesd
Sep 13 16:25:01 sapt-wazhu env[1163]: Started wazuh-analysisd...
Sep 13 16:25:01 sapt-wazhu env[1163]: 2023/09/13 16:25:01 wazuh-syscheckd: WARNING: (1230): Invalid element in the configuration: 'database_output'.
Sep 13 16:25:01 sapt-wazhu env[1163]: 2023/09/13 16:25:01 wazuh-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.
Sep 13 16:25:01 sapt-wazhu env[1163]: Started wazuh-syscheckd...
Sep 13 16:25:02 sapt-wazhu env[1163]: Started wazuh-remoted...
Sep 13 16:25:04 sapt-wazhu env[1163]: Started wazuh-logcollector...
Sep 13 16:25:04 sapt-wazhu env[1163]: Started wazuh-monitord...
Sep 13 16:25:05 sapt-wazhu env[1163]: Started wazuh-modulesd...
Sep 13 16:25:07 sapt-wazhu env[1163]: Completed.
Sep 13 16:25:07 sapt-wazhu systemd[1]: Started Wazuh manager.
[root@sapt-wazhu alerts]# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-09-13 16:26:34 PKT; 28min ago
Docs: https://documentation.wazuh.com
Main PID: 1168 (java)
Tasks: 100 (limit: 49020)
Memory: 2.1G
CGroup: /system.slice/wazuh-indexer.service
└─1168 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -D>
Sep 13 16:28:31 sapt-wazhu systemd[1]: Starting Wazuh-indexer...
Sep 13 16:24:46 sapt-wazhu systemd-entrypoint[1168]: WARNING: A terminally deprecated method in java.lang.System has been called
Sep 13 16:24:46 sapt-wazhu systemd-entrypoint[1168]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
Sep 13 16:24:46 sapt-wazhu systemd-entrypoint[1168]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Sep 13 16:24:46 sapt-wazhu systemd-entrypoint[1168]: WARNING: System::setSecurityManager will be removed in a future release
Sep 13 16:25:20 sapt-wazhu systemd-entrypoint[1168]: WARNING: A terminally deprecated method in java.lang.System has been called
Sep 13 16:25:20 sapt-wazhu systemd-entrypoint[1168]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
Sep 13 16:25:20 sapt-wazhu systemd-entrypoint[1168]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Sep 13 16:25:20 sapt-wazhu systemd-entrypoint[1168]: WARNING: System::setSecurityManager will be removed in a future release
Sep 13 16:26:34 sapt-wazhu systemd[1]: Started Wazuh-indexer.
[root@sapt-wazhu alerts]#
[root@sapt-wazhu alerts]# systemctl status wazuh-dashbaord
Unit wazuh-dashbaord.service could not be found.
[root@sapt-wazhu alerts]# systemctl status wazuh-dashbaord
Unit wazuh-dashbaord.service could not be found.
[root@sapt-wazhu alerts]# systemctl status wazuh-dashboard.service
● wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-09-13 16:28:28 PKT; 27min ago
Main PID: 1062 (node)
Tasks: 11 (limit: 49020)
Memory: 92.5M
CGroup: /system.slice/wazuh-dashboard.service
└─1062 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml
Sep 13 16:26:35 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:35Z","tags":["error","opensearch","data"],"pid":1062,"message":"[ResponseError]: Response Error"}
Sep 13 16:26:37 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:37Z","tags":["error","opensearch","data"],"pid":1062,"message":"[ResponseError]: Response Error"}
Sep 13 16:26:39 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:39Z","tags":["error","opensearch","data"],"pid":1062,"message":"[ResponseError]: Response Error"}
Sep 13 16:26:42 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:42Z","tags":["error","opensearch","data"],"pid":1062,"message":"[ResponseError]: Response Error"}
Sep 13 16:26:44 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:44Z","tags":["error","opensearch","data"],"pid":1062,"message":"[ResponseError]: Response Error"}
Sep 13 16:26:47 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:47Z","tags":["error","opensearch","data"],"pid":1062,"message":"[ResponseError]: Response Error"}
Sep 13 16:26:50 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:50Z","tags":["info","savedobjects-service"],"pid":1062,"message":"Starting saved objects migrations"}
Sep 13 16:26:50 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:50Z","tags":["info","plugins-system"],"pid":1062,"message":"Starting [45] plugins: [alertingDashboards,usageCollection,opensearchDashbo>
Sep 13 16:26:53 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:53Z","tags":["listening","info"],"pid":1062,"message":"Server running at https://10.10.90.55:443"}
Sep 13 16:26:53 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:53Z","tags":["info","http","server","OpenSearchDashboards"],"pid":1062,"message":"http server running at https://10.10.90.55:443"}
[root@sapt-wazhu alerts]#
###################################################################################################
[root@sapt-wazhu alerts]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... ERROR dial tcp 127.0.0.1:9200: connect: connection refused
[root@sapt-wazhu alerts]#
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-09-13 16:25:07 PKT; 30min ago
Process: 1163 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
Tasks: 133 (limit: 49020)
Memory: 267.9M
CGroup: /system.slice/wazuh-manager.service
├─2517 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2639 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2642 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2671 /var/ossec/bin/wazuh-authd
├─2681 /var/ossec/bin/wazuh-db
├─2773 /var/ossec/bin/wazuh-execd
├─2788 /var/ossec/bin/wazuh-analysisd
├─2804 /var/ossec/bin/wazuh-syscheckd
├─2818 /var/ossec/bin/wazuh-remoted
├─2856 /var/ossec/bin/wazuh-logcollector
├─2879 /var/ossec/bin/wazuh-monitord
└─2890 /var/ossec/bin/wazuh-modulesd
Sep 13 16:25:01 sapt-wazhu env[1163]: Started wazuh-analysisd...
Sep 13 16:25:01 sapt-wazhu env[1163]: 2023/09/13 16:25:01 wazuh-syscheckd: WARNING: (1230): Invalid element in the configuration: 'database_output'.
Sep 13 16:25:01 sapt-wazhu env[1163]: 2023/09/13 16:25:01 wazuh-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.
Sep 13 16:25:01 sapt-wazhu env[1163]: Started wazuh-syscheckd...
Sep 13 16:25:02 sapt-wazhu env[1163]: Started wazuh-remoted...
Sep 13 16:25:04 sapt-wazhu env[1163]: Started wazuh-logcollector...
Sep 13 16:25:04 sapt-wazhu env[1163]: Started wazuh-monitord...
Sep 13 16:25:05 sapt-wazhu env[1163]: Started wazuh-modulesd...
Sep 13 16:25:07 sapt-wazhu env[1163]: Completed.
Sep 13 16:25:07 sapt-wazhu systemd[1]: Started Wazuh manager.
[root@sapt-wazhu alerts]# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-09-13 16:26:34 PKT; 28min ago
Docs: https://documentation.wazuh.com
Main PID: 1168 (java)
Tasks: 100 (limit: 49020)
Memory: 2.1G
CGroup: /system.slice/wazuh-indexer.service
└─1168 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -D>
Sep 13 16:28:31 sapt-wazhu systemd[1]: Starting Wazuh-indexer...
Sep 13 16:24:46 sapt-wazhu systemd-entrypoint[1168]: WARNING: A terminally deprecated method in java.lang.System has been called
Sep 13 16:24:46 sapt-wazhu systemd-entrypoint[1168]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
Sep 13 16:24:46 sapt-wazhu systemd-entrypoint[1168]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Sep 13 16:24:46 sapt-wazhu systemd-entrypoint[1168]: WARNING: System::setSecurityManager will be removed in a future release
Sep 13 16:25:20 sapt-wazhu systemd-entrypoint[1168]: WARNING: A terminally deprecated method in java.lang.System has been called
Sep 13 16:25:20 sapt-wazhu systemd-entrypoint[1168]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.6.0.jar)
Sep 13 16:25:20 sapt-wazhu systemd-entrypoint[1168]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Sep 13 16:25:20 sapt-wazhu systemd-entrypoint[1168]: WARNING: System::setSecurityManager will be removed in a future release
Sep 13 16:26:34 sapt-wazhu systemd[1]: Started Wazuh-indexer.
[root@sapt-wazhu alerts]#
[root@sapt-wazhu alerts]# systemctl status wazuh-dashbaord
Unit wazuh-dashbaord.service could not be found.
[root@sapt-wazhu alerts]# systemctl status wazuh-dashbaord
Unit wazuh-dashbaord.service could not be found.
[root@sapt-wazhu alerts]# systemctl status wazuh-dashboard.service
● wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-09-13 16:28:28 PKT; 27min ago
Main PID: 1062 (node)
Tasks: 11 (limit: 49020)
Memory: 92.5M
CGroup: /system.slice/wazuh-dashboard.service
└─1062 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml
Sep 13 16:26:35 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:35Z","tags":["error","opensearch","data"],"pid":1062,"message":"[ResponseError]: Response Error"}
Sep 13 16:26:37 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:37Z","tags":["error","opensearch","data"],"pid":1062,"message":"[ResponseError]: Response Error"}
Sep 13 16:26:39 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:39Z","tags":["error","opensearch","data"],"pid":1062,"message":"[ResponseError]: Response Error"}
Sep 13 16:26:42 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:42Z","tags":["error","opensearch","data"],"pid":1062,"message":"[ResponseError]: Response Error"}
Sep 13 16:26:44 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:44Z","tags":["error","opensearch","data"],"pid":1062,"message":"[ResponseError]: Response Error"}
Sep 13 16:26:47 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:47Z","tags":["error","opensearch","data"],"pid":1062,"message":"[ResponseError]: Response Error"}
Sep 13 16:26:50 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:50Z","tags":["info","savedobjects-service"],"pid":1062,"message":"Starting saved objects migrations"}
Sep 13 16:26:50 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:50Z","tags":["info","plugins-system"],"pid":1062,"message":"Starting [45] plugins: [alertingDashboards,usageCollection,opensearchDashbo>
Sep 13 16:26:53 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:53Z","tags":["listening","info"],"pid":1062,"message":"Server running at https://10.10.90.55:443"}
Sep 13 16:26:53 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-13T11:26:53Z","tags":["info","http","server","OpenSearchDashboards"],"pid":1062,"message":"http server running at https://10.10.90.55:443"}
[root@sapt-wazhu alerts]#
###################################################################################################
[root@sapt-wazhu alerts]# filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... ERROR dial tcp 127.0.0.1:9200: connect: connection refused
[root@sapt-wazhu alerts]#
###################################################################################################
[root@sapt-wazhu filebeat]# more filebeat
2023-09-13T16:56:43.689+0500 INFO instance/beat.go:698 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] Hostfs Path: [/]
2023-09-13T16:56:43.689+0500 INFO instance/beat.go:706 Beat ID: 1f71401c-497b-4eda-bef9-c831fbb6038f
2023-09-13T16:56:43.689+0500 WARN [cfgwarn] template/config.go:88 DEPRECATED: Please migrate your JSON templates from legacy template format to composable index template. Will be removed in version: 8.0.0
2023-09-13T16:56:43.690+0500 INFO [index-management] idxmgmt/std.go:184 Set output.elasticsearch.index to 'filebeat-7.17.12' as ILM is enabled.
2023-09-13T16:56:43.690+0500 WARN [cfgwarn] tlscommon/config.go:100 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please u
pdate your certificates if needed. Will be removed in version: 8.0.0
2023-09-13T16:56:43.690+0500 INFO [esclientleg] eslegclient/connection.go:105 elasticsearch url: https://127.0.0.1:9200
[root@sapt-wazhu filebeat]# systemctl status filebeat.service
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-09-13 16:28:31 PKT; 33min ago
Docs: https://www.elastic.co/beats/filebeat
Main PID: 1164 (filebeat)
Tasks: 9 (limit: 49020)
Memory: 26.9M
CGroup: /system.slice/filebeat.service
└─1164 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat
Sep 13 16:28:31 sapt-wazhu systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
[root@sapt-wazhu filebeat]#
###################################################################################################
[root@sapt-wazhu alerts]# tail /var/ossec/logs/ossec.log
2023/09/13 16:25:04 wazuh-modulesd:control: INFO: Starting control thread.
2023/09/13 16:25:04 wazuh-modulesd:download: INFO: Module started.
2023/09/13 16:25:04 wazuh-modulesd:database: INFO: Module started.
2023/09/13 16:25:04 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2023/09/13 16:25:04 wazuh-modulesd:syscollector: INFO: Module started.
2023/09/13 16:25:04 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/09/13 07:25:06 wazuh-analysisd: INFO: EPS limit disabled
2023/09/13 16:25:13 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/09/13 16:26:03 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2023/09/13 16:27:42 rootcheck: INFO: Ending rootcheck scan.
[root@sapt-wazhu alerts]#
[root@sapt-wazhu alerts]# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
2023/09/13 16:24:19 wazuh-syscheckd: WARNING: (1230): Invalid element in the configuration: 'database_output'.
2023/09/13 16:25:01 wazuh-syscheckd: WARNING: (1230): Invalid element in the configuration: 'database_output'.
2023/09/13 16:25:01 wazuh-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.
[root@sapt-wazhu alerts]#
2023-09-13T16:56:43.689+0500 INFO instance/beat.go:698 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] Hostfs Path: [/]
2023-09-13T16:56:43.689+0500 INFO instance/beat.go:706 Beat ID: 1f71401c-497b-4eda-bef9-c831fbb6038f
2023-09-13T16:56:43.689+0500 WARN [cfgwarn] template/config.go:88 DEPRECATED: Please migrate your JSON templates from legacy template format to composable index template. Will be removed in version: 8.0.0
2023-09-13T16:56:43.690+0500 INFO [index-management] idxmgmt/std.go:184 Set output.elasticsearch.index to 'filebeat-7.17.12' as ILM is enabled.
2023-09-13T16:56:43.690+0500 WARN [cfgwarn] tlscommon/config.go:100 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please u
pdate your certificates if needed. Will be removed in version: 8.0.0
2023-09-13T16:56:43.690+0500 INFO [esclientleg] eslegclient/connection.go:105 elasticsearch url: https://127.0.0.1:9200
[root@sapt-wazhu filebeat]# systemctl status filebeat.service
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-09-13 16:28:31 PKT; 33min ago
Docs: https://www.elastic.co/beats/filebeat
Main PID: 1164 (filebeat)
Tasks: 9 (limit: 49020)
Memory: 26.9M
CGroup: /system.slice/filebeat.service
└─1164 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat
Sep 13 16:28:31 sapt-wazhu systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch..
[root@sapt-wazhu filebeat]#
###################################################################################################
[root@sapt-wazhu alerts]# tail /var/ossec/logs/ossec.log
2023/09/13 16:25:04 wazuh-modulesd:control: INFO: Starting control thread.
2023/09/13 16:25:04 wazuh-modulesd:download: INFO: Module started.
2023/09/13 16:25:04 wazuh-modulesd:database: INFO: Module started.
2023/09/13 16:25:04 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2023/09/13 16:25:04 wazuh-modulesd:syscollector: INFO: Module started.
2023/09/13 16:25:04 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/09/13 07:25:06 wazuh-analysisd: INFO: EPS limit disabled
2023/09/13 16:25:13 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/09/13 16:26:03 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2023/09/13 16:27:42 rootcheck: INFO: Ending rootcheck scan.
[root@sapt-wazhu alerts]#
[root@sapt-wazhu alerts]# cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
2023/09/13 16:24:19 wazuh-syscheckd: WARNING: (1230): Invalid element in the configuration: 'database_output'.
2023/09/13 16:25:01 wazuh-syscheckd: WARNING: (1230): Invalid element in the configuration: 'database_output'.
2023/09/13 16:25:01 wazuh-syscheckd: WARNING: The check_unixaudit option is deprecated in favor of the SCA module.
[root@sapt-wazhu alerts]#
Md. Nazmur Sakib
Sep 13, 2023, 8:26:44 AM9/13/23
to Wazuh | Mailing List
Hi Muhammad Kamran,
Your Wazuh manager and dashboard are working fine. I can see alert logs are inside the alart.log folder. It seems like there is some error in your filebeat configuration.
Go to cat /etc/filebeat/filebeat.yml
And share the configuration
Check if these three certificate files are in the /etc/filebeat/certs folder.
Restart filebeat
systemctl daemon-reload
systemctl restart filebeat
Resrat wazuh-indexer
systemctl restart wazuh-indexer
And run this command again to test if filbeat is properly configured.
filebeat test output
You can check this document for reference:
https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html
Check those configurations and share those updates
Regards
Message has been deleted
Muhammad Kamran
Sep 14, 2023, 3:50:34 AM9/14/23
to Wazuh | Mailing List
I have check the LISTENING Port is not ok here is now status
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
[root@sapt-wazhu filebeat]# systemctl daemon-reload
[root@sapt-wazhu filebeat]# systemctl restart filebeat
[root@sapt-wazhu filebeat]# systemctl restart wazuh-indexer
[root@sapt-wazhu filebeat]# filebeat test output
elasticsearch: https://127.0.0.1:9201...
[root@sapt-wazhu filebeat]# systemctl restart filebeat
[root@sapt-wazhu filebeat]# systemctl restart wazuh-indexer
[root@sapt-wazhu filebeat]# filebeat test output
elasticsearch: https://127.0.0.1:9201...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR tls: first record does not look like a TLS handshake
[root@sapt-wazhu filebeat]#
[root@sapt-wazhu certs]# netstat -apn | grep LISTEN
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 2100/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1100/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1096/cupsd
tcp 0 0 0.0.0.0:55000 0.0.0.0:* LISTEN 2517/python3
tcp 0 0 10.10.90.55:443 0.0.0.0:* LISTEN 1062/node
tcp 0 0 10.10.90.55:5601 0.0.0.0:* LISTEN 1182/node
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN 2818/wazuh-remoted
tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 2671/wazuh-authd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp6 0 0 127.0.0.1:9201 :::* LISTEN 1173/java
tcp6 0 0 ::1:9201 :::* LISTEN 1173/java
tcp6 0 0 10.10.90.55:9300 :::* LISTEN 306126/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 1173/java
tcp6 0 0 ::1:9300 :::* LISTEN 1173/java
tcp6 0 0 :::22 :::* LISTEN 1100/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1096/cupsd
tcp6 0 0 :::33060 :::* LISTEN 2314/mysqld
tcp6 0 0 :::3306 :::* LISTEN 2314/mysqld
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 10.10.90.55:9200 :::* LISTEN 306126/java
unix 2 [ ACC ] STREAM LISTENING 27391 1/systemd /run/libvirt/libvirt-admin-sock
unix 2 [ ACC ] STREAM LISTENING 24318 1/systemd /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 27394 1/systemd /run/libvirt/libvirt-sock-ro
unix 2 [ ACC ] STREAM LISTENING 769 1/systemd /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 30724 1044/lsmd /var/run/lsm/ipc/simc
unix 2 [ ACC ] STREAM LISTENING 30726 1044/lsmd /var/run/lsm/ipc/sim
unix 2 [ ACC ] STREAM LISTENING 27398 1/systemd /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 27402 1/systemd /var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 31501 1565/systemd /run/user/42/systemd/private
unix 2 [ ACC ] STREAM LISTENING 27406 1/systemd /run/libvirt/virtlockd-sock
unix 2 [ ACC ] STREAM LISTENING 29144 1119/gssproxy /var/lib/gssproxy/default.sock
unix 2 [ ACC ] STREAM LISTENING 24322 1/systemd @/org/kernel/linux/storage/multipathd
unix 2 [ ACC ] STREAM LISTENING 27929 1056/mcelog /var/run/mcelog-client
unix 2 [ ACC ] STREAM LISTENING 33730 2117/gnome-session- @/tmp/.ICE-unix/2117
unix 2 [ ACC ] STREAM LISTENING 262852 1231/gdm @/tmp/dbus-WUdN7HuS
unix 2 [ ACC ] STREAM LISTENING 27925 1059/irqbalance @irqbalance1059.sock
unix 2 [ ACC ] STREAM LISTENING 27405 1/systemd @ISCSID_UIP_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 262853 1231/gdm @/tmp/dbus-adpnOUaT
unix 2 [ ACC ] STREAM LISTENING 45214 2681/wazuh-db queue/db/wdb
unix 2 [ ACC ] STREAM LISTENING 39051 2262/dbus-daemon @/tmp/dbus-ltsqiHdplP
unix 2 [ ACC ] STREAM LISTENING 40047 2314/mysqld /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 33777 2232/Xwayland /tmp/.X11-unix/X1024
unix 2 [ ACC ] STREAM LISTENING 1998941 304201/pulseaudio /tmp/.esd-1001/socket
unix 2 [ ACC ] STREAM LISTENING 43644 2671/wazuh-authd queue/sockets/auth
unix 2 [ ACC ] STREAM LISTENING 46274 2773/wazuh-execd queue/sockets/com
unix 2 [ ACC ] STREAM LISTENING 45407 2788/wazuh-analysis queue/sockets/analysis
unix 2 [ ACC ] STREAM LISTENING 45413 2788/wazuh-analysis queue/sockets/logtest
unix 2 [ ACC ] STREAM LISTENING 44635 2890/wazuh-modulesd queue/tasks/upgrade
unix 2 [ ACC ] STREAM LISTENING 30782 1042/sssd /var/lib/sss/pipes/private/sbus-monitor
unix 2 [ ACC ] STREAM LISTENING 45412 2818/wazuh-remoted queue/sockets/remote
unix 2 [ ACC ] STREAM LISTENING 45423 2890/wazuh-modulesd queue/tasks/task
unix 2 [ ACC ] STREAM LISTENING 44560 2804/wazuh-syscheck queue/sockets/syscheck
unix 2 [ ACC ] STREAM LISTENING 45417 2856/wazuh-logcolle queue/sockets/logcollector
unix 2 [ ACC ] STREAM LISTENING 44636 2890/wazuh-modulesd queue/sockets/download
unix 2 [ ACC ] STREAM LISTENING 46330 2890/wazuh-modulesd queue/sockets/wmodules
unix 2 [ ACC ] STREAM LISTENING 46333 2890/wazuh-modulesd queue/sockets/control
unix 2 [ ACC ] STREAM LISTENING 57997 2879/wazuh-monitord queue/sockets/monitor
unix 2 [ ACC ] STREAM LISTENING 33731 2117/gnome-session- /tmp/.ICE-unix/2117
unix 2 [ ACC ] STREAM LISTENING 39141 2381/ibus-daemon @/tmp/dbus-fXWiF4Yx
unix 2 [ ACC ] STREAM LISTENING 30371 1038/VGAuthService /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 1997483 304186/systemd /run/user/1001/systemd/private
unix 2 [ ACC ] STREAM LISTENING 35247 1565/systemd /run/user/42/pipewire-0
unix 2 [ ACC ] STREAM LISTENING 35249 1565/systemd /run/user/42/pulse/native
unix 2 [ ACC ] STREAM LISTENING 31196 1231/gdm @/tmp/dbus-8ygYwjqu
unix 2 [ ACC ] STREAM LISTENING 1998516 304186/systemd /run/user/1001/bus
unix 2 [ ACC ] STREAM LISTENING 35252 1565/systemd /run/user/42/bus
unix 2 [ ACC ] STREAM LISTENING 1998518 304186/systemd /run/user/1001/pulse/native
unix 2 [ ACC ] STREAM LISTENING 27397 1/systemd @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 38354 2136/gnome-shell /run/user/42/wayland-0
unix 2 [ ACC ] STREAM LISTENING 33776 2232/Xwayland @/tmp/.X11-unix/X1024
unix 2 [ ACC ] STREAM LISTENING 24274 1/systemd /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 1998551 304186/systemd /run/user/1001/pipewire-0
unix 2 [ ACC ] STREAM LISTENING 31197 1231/gdm @/tmp/dbus-76YWLmjJ
unix 2 [ ACC ] STREAM LISTENING 29145 1119/gssproxy /run/gssproxy.sock
unix 2 [ ACC ] SEQPACKET LISTENING 24294 1/systemd /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 31798 1120/sssd_nss /var/lib/sss/pipes/nss
unix 2 [ ACC ] STREAM LISTENING 27377 1/systemd /run/libvirt/virtlogd-sock
unix 2 [ ACC ] SEQPACKET LISTENING 24307 1/systemd /run/systemd/coredump
unix 2 [ ACC ] STREAM LISTENING 29104 1094/sssd_be /var/lib/sss/pipes/private/sbus-dp_implicit_files.1094
unix 2 [ ACC ] STREAM LISTENING 27381 1/systemd /run/libvirt/libvirt-sock
unix 2 [ ACC ] STREAM LISTENING 24310 1/systemd /run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 37880 2314/mysqld /var/run/mysqld/mysqlx.sock
unix 2 [ ACC ] STREAM LISTENING 27384 1/systemd /run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 27388 1/systemd /var/run/.heim_org.h5l.kcm-socket
[root@sapt-wazhu certs]# cd ..
[root@sapt-wazhu filebeat]# vi filebeat.yml
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR tls: first record does not look like a TLS handshake
[root@sapt-wazhu filebeat]#
[root@sapt-wazhu certs]# netstat -apn | grep LISTEN
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 2100/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1100/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1096/cupsd
tcp 0 0 0.0.0.0:55000 0.0.0.0:* LISTEN 2517/python3
tcp 0 0 10.10.90.55:443 0.0.0.0:* LISTEN 1062/node
tcp 0 0 10.10.90.55:5601 0.0.0.0:* LISTEN 1182/node
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN 2818/wazuh-remoted
tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 2671/wazuh-authd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp6 0 0 127.0.0.1:9201 :::* LISTEN 1173/java
tcp6 0 0 ::1:9201 :::* LISTEN 1173/java
tcp6 0 0 10.10.90.55:9300 :::* LISTEN 306126/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 1173/java
tcp6 0 0 ::1:9300 :::* LISTEN 1173/java
tcp6 0 0 :::22 :::* LISTEN 1100/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1096/cupsd
tcp6 0 0 :::33060 :::* LISTEN 2314/mysqld
tcp6 0 0 :::3306 :::* LISTEN 2314/mysqld
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 10.10.90.55:9200 :::* LISTEN 306126/java
unix 2 [ ACC ] STREAM LISTENING 27391 1/systemd /run/libvirt/libvirt-admin-sock
unix 2 [ ACC ] STREAM LISTENING 24318 1/systemd /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 27394 1/systemd /run/libvirt/libvirt-sock-ro
unix 2 [ ACC ] STREAM LISTENING 769 1/systemd /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 30724 1044/lsmd /var/run/lsm/ipc/simc
unix 2 [ ACC ] STREAM LISTENING 30726 1044/lsmd /var/run/lsm/ipc/sim
unix 2 [ ACC ] STREAM LISTENING 27398 1/systemd /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 27402 1/systemd /var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 31501 1565/systemd /run/user/42/systemd/private
unix 2 [ ACC ] STREAM LISTENING 27406 1/systemd /run/libvirt/virtlockd-sock
unix 2 [ ACC ] STREAM LISTENING 29144 1119/gssproxy /var/lib/gssproxy/default.sock
unix 2 [ ACC ] STREAM LISTENING 24322 1/systemd @/org/kernel/linux/storage/multipathd
unix 2 [ ACC ] STREAM LISTENING 27929 1056/mcelog /var/run/mcelog-client
unix 2 [ ACC ] STREAM LISTENING 33730 2117/gnome-session- @/tmp/.ICE-unix/2117
unix 2 [ ACC ] STREAM LISTENING 262852 1231/gdm @/tmp/dbus-WUdN7HuS
unix 2 [ ACC ] STREAM LISTENING 27925 1059/irqbalance @irqbalance1059.sock
unix 2 [ ACC ] STREAM LISTENING 27405 1/systemd @ISCSID_UIP_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 262853 1231/gdm @/tmp/dbus-adpnOUaT
unix 2 [ ACC ] STREAM LISTENING 45214 2681/wazuh-db queue/db/wdb
unix 2 [ ACC ] STREAM LISTENING 39051 2262/dbus-daemon @/tmp/dbus-ltsqiHdplP
unix 2 [ ACC ] STREAM LISTENING 40047 2314/mysqld /var/lib/mysql/mysql.sock
unix 2 [ ACC ] STREAM LISTENING 33777 2232/Xwayland /tmp/.X11-unix/X1024
unix 2 [ ACC ] STREAM LISTENING 1998941 304201/pulseaudio /tmp/.esd-1001/socket
unix 2 [ ACC ] STREAM LISTENING 43644 2671/wazuh-authd queue/sockets/auth
unix 2 [ ACC ] STREAM LISTENING 46274 2773/wazuh-execd queue/sockets/com
unix 2 [ ACC ] STREAM LISTENING 45407 2788/wazuh-analysis queue/sockets/analysis
unix 2 [ ACC ] STREAM LISTENING 45413 2788/wazuh-analysis queue/sockets/logtest
unix 2 [ ACC ] STREAM LISTENING 44635 2890/wazuh-modulesd queue/tasks/upgrade
unix 2 [ ACC ] STREAM LISTENING 30782 1042/sssd /var/lib/sss/pipes/private/sbus-monitor
unix 2 [ ACC ] STREAM LISTENING 45412 2818/wazuh-remoted queue/sockets/remote
unix 2 [ ACC ] STREAM LISTENING 45423 2890/wazuh-modulesd queue/tasks/task
unix 2 [ ACC ] STREAM LISTENING 44560 2804/wazuh-syscheck queue/sockets/syscheck
unix 2 [ ACC ] STREAM LISTENING 45417 2856/wazuh-logcolle queue/sockets/logcollector
unix 2 [ ACC ] STREAM LISTENING 44636 2890/wazuh-modulesd queue/sockets/download
unix 2 [ ACC ] STREAM LISTENING 46330 2890/wazuh-modulesd queue/sockets/wmodules
unix 2 [ ACC ] STREAM LISTENING 46333 2890/wazuh-modulesd queue/sockets/control
unix 2 [ ACC ] STREAM LISTENING 57997 2879/wazuh-monitord queue/sockets/monitor
unix 2 [ ACC ] STREAM LISTENING 33731 2117/gnome-session- /tmp/.ICE-unix/2117
unix 2 [ ACC ] STREAM LISTENING 39141 2381/ibus-daemon @/tmp/dbus-fXWiF4Yx
unix 2 [ ACC ] STREAM LISTENING 30371 1038/VGAuthService /var/run/vmware/guestServicePipe
unix 2 [ ACC ] STREAM LISTENING 1997483 304186/systemd /run/user/1001/systemd/private
unix 2 [ ACC ] STREAM LISTENING 35247 1565/systemd /run/user/42/pipewire-0
unix 2 [ ACC ] STREAM LISTENING 35249 1565/systemd /run/user/42/pulse/native
unix 2 [ ACC ] STREAM LISTENING 31196 1231/gdm @/tmp/dbus-8ygYwjqu
unix 2 [ ACC ] STREAM LISTENING 1998516 304186/systemd /run/user/1001/bus
unix 2 [ ACC ] STREAM LISTENING 35252 1565/systemd /run/user/42/bus
unix 2 [ ACC ] STREAM LISTENING 1998518 304186/systemd /run/user/1001/pulse/native
unix 2 [ ACC ] STREAM LISTENING 27397 1/systemd @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 38354 2136/gnome-shell /run/user/42/wayland-0
unix 2 [ ACC ] STREAM LISTENING 33776 2232/Xwayland @/tmp/.X11-unix/X1024
unix 2 [ ACC ] STREAM LISTENING 24274 1/systemd /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 1998551 304186/systemd /run/user/1001/pipewire-0
unix 2 [ ACC ] STREAM LISTENING 31197 1231/gdm @/tmp/dbus-76YWLmjJ
unix 2 [ ACC ] STREAM LISTENING 29145 1119/gssproxy /run/gssproxy.sock
unix 2 [ ACC ] SEQPACKET LISTENING 24294 1/systemd /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 31798 1120/sssd_nss /var/lib/sss/pipes/nss
unix 2 [ ACC ] STREAM LISTENING 27377 1/systemd /run/libvirt/virtlogd-sock
unix 2 [ ACC ] SEQPACKET LISTENING 24307 1/systemd /run/systemd/coredump
unix 2 [ ACC ] STREAM LISTENING 29104 1094/sssd_be /var/lib/sss/pipes/private/sbus-dp_implicit_files.1094
unix 2 [ ACC ] STREAM LISTENING 27381 1/systemd /run/libvirt/libvirt-sock
unix 2 [ ACC ] STREAM LISTENING 24310 1/systemd /run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 37880 2314/mysqld /var/run/mysqld/mysqlx.sock
unix 2 [ ACC ] STREAM LISTENING 27384 1/systemd /run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 27388 1/systemd /var/run/.heim_org.h5l.kcm-socket
[root@sapt-wazhu certs]# cd ..
[root@sapt-wazhu filebeat]# vi filebeat.yml
Wazuh | Mailing List
Sep 19, 2023, 5:32:24 AM9/19/23
to Wazuh | Mailing List
Hi
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
Please check this out put
[root@sapt-wazhu ~]#
[root@sapt-wazhu ~]# filebeat test output
elasticsearch: https://127.0.0.1:9201...
[root@sapt-wazhu ~]# filebeat test output
elasticsearch: https://127.0.0.1:9201...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR tls: first record does not look like a TLS handshake
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR tls: first record does not look like a TLS handshake
[root@sapt-wazhu ~]# more /etc/filebeat/filebeat.yml
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:
- 127.0.0.1:9201
# - <elasticsearch_ip_node_2>:9200
# - <elasticsearch_ip_node_3>:9200
output.elasticsearch:
protocol: https
username: admin
password: admin@123
ssl.certificate_authorities:
- /etc/filebeat/certs/root-ca.pem
ssl.certificate: "/etc/filebeat/certs/wazuh-server.pem"
ssl.key: "/etc/filebeat/certs/wazuh-server-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7
permissions: 0644
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq
[root@sapt-wazhu ~]#
output.elasticsearch.hosts:
- 127.0.0.1:9201
# - <elasticsearch_ip_node_2>:9200
# - <elasticsearch_ip_node_3>:9200
output.elasticsearch:
protocol: https
username: admin
password: admin@123
ssl.certificate_authorities:
- /etc/filebeat/certs/root-ca.pem
ssl.certificate: "/etc/filebeat/certs/wazuh-server.pem"
ssl.key: "/etc/filebeat/certs/wazuh-server-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7
permissions: 0644
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq
[root@sapt-wazhu ~]#
Muhammad Kamran
Oct 4, 2023, 1:48:16 AM10/4/23
to Wazuh | Mailing List
Did you receive my mail please help me in this regards
Reply all
Reply to author
Forward
0 new messages