Disable security events
152 views
Skip to first unread message
Sergey E.
Apr 25, 2024, 1:17:39 PM4/25/24
to Wazuh | Mailing List
Hi Team,
I have 1 question: How to disable only security events from logging?
I mean that I still want to use Vulnerability and SCA, but do not want all linux servers to flood to logs with their security events.
Gonzalo Acuña
Apr 25, 2024, 2:01:42 PM4/25/24
to Wazuh | Mailing List
Hi. Sergey.
What specific security events do you want to avoid?
If have identified some alerts are not useful, you can disable the related rules.
In order to suppress an alert, you can add a custom rule in your local_rule.xml file to set the desired alert level to 0 (https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html).
For example:
<rule id="100003" level="0">
<if_sid>60602</if_sid>
<description>Rule suppression</description>
</rule>
<rule id="100004" level="0">
<if_sid>60601</if_sid>
<description>Rule suppression</description>
</rule>
This will suppress alerts with 60601 and 60602.
Also, you can overwrite the alert using the overwrite option to suppress it:
<rule id="60602" level="0" overwrite="yes">
<description>Rule suppression</description>
</rule>
Let me know if this information was helpful, please.
Regards.
What specific security events do you want to avoid?
If have identified some alerts are not useful, you can disable the related rules.
In order to suppress an alert, you can add a custom rule in your local_rule.xml file to set the desired alert level to 0 (https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html).
For example:
<rule id="100003" level="0">
<if_sid>60602</if_sid>
<description>Rule suppression</description>
</rule>
<rule id="100004" level="0">
<if_sid>60601</if_sid>
<description>Rule suppression</description>
</rule>
This will suppress alerts with 60601 and 60602.
Also, you can overwrite the alert using the overwrite option to suppress it:
<rule id="60602" level="0" overwrite="yes">
<description>Rule suppression</description>
</rule>
Let me know if this information was helpful, please.
Regards.
Gonzalo.
Sergey E.
Apr 26, 2024, 6:23:13 AM4/26/24
to Wazuh | Mailing List
Hi Gonzalo,
Your information was very helpful. But it looks like a lot of work which will doubled if i need to revert it (very possible scenario).
For this moment I want to use Wazuh only for SCA and Vulnerabilities scan.
I have splunk installation and Splunk already get all needed security events. So Wazuh just duplicate them and uses a lot of disk space to store alerts.json.
For excample this is top for 24 hours:
ossec 2321758
rootcheck 2312612
syslog 922325
windows 690368
web 448973
pam 400436
windows_security 397752
accesslog 349481
attack 326429
sudo 291882
authentication_success 226746
sysmon 216188
rootcheck 2312612
syslog 922325
windows 690368
web 448973
pam 400436
windows_security 397752
accesslog 349481
attack 326429
sudo 291882
authentication_success 226746
sysmon 216188
And I dont want to store them.
Just need "vulnerability-detector" and "sca" events.
четверг, 25 апреля 2024 г. в 21:01:42 UTC+3, Gonzalo Acuña:
Gonzalo Acuña
Apr 26, 2024, 9:20:41 AM4/26/24
to Wazuh | Mailing List
Hi.
In your case, the only modules/configurations you should enable are the following:
- Vulnerability Detector enabled in the manager and configured correctly.
- SCA enabled on the agents (and if you want the manager to be scanned, then also on the manager).
To disable the additional modules of the different agent configurations, without having to do it manually in each agent, you can make use of the centralized configuration:
https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
This configuration is set from the manager, and it will be shared with the different agents (taking into account the groups), this way, if you disable the modules in this configuration, they should be overwritten in the agent and disable those modules.
Regards.
Gonzalo.
In your case, the only modules/configurations you should enable are the following:
- Vulnerability Detector enabled in the manager and configured correctly.
- SCA enabled on the agents (and if you want the manager to be scanned, then also on the manager).
To disable the additional modules of the different agent configurations, without having to do it manually in each agent, you can make use of the centralized configuration:
https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
This configuration is set from the manager, and it will be shared with the different agents (taking into account the groups), this way, if you disable the modules in this configuration, they should be overwritten in the agent and disable those modules.
Regards.
Gonzalo.
Sergey E.
May 2, 2024, 8:37:52 AM5/2/24
to Wazuh | Mailing List
Hi Gonzalo, thank you for replay.
Will try this way.
Which of the modules gives me
syslog
web
pam
sudo
events?
syslog
web
pam
sudo
events?
пятница, 26 апреля 2024 г. в 16:20:41 UTC+3, Gonzalo Acuña:
Gonzalo Acuña
May 13, 2024, 12:39:08 PM5/13/24
to Wazuh | Mailing List
Reply all
Reply to author
Forward
0 new messages