Fortiauthenticator alerts
133 views
Skip to first unread message
Moroni Correia Santos
Dec 6, 2022, 7:36:18 PM12/6/22
to Wazuh mailing list
Hi guys, good afternoon to everyone, I need some help with my manager, so, for some reason, I'm not recieving alerts from my fortiauthenticator in the wazuh dashboard, but the alerts arrive on my telegram integration.
.png?part=0.2&view=1)
.png?part=0.1&view=1)
.png?part=0.5&view=1)
I did a tcpdump from my wazuh machine and I captured a couple of FortiAuthenticator logs that are arriving, I tested them on the log test tool and it shows that it's supposed to generate an alert, but it just doesn't. can anyone help me in making these logs trigger alerts like they should?
I did a tcpdump from my wazuh machine and I captured a couple of FortiAuthenticator logs that are arriving, I tested them on the log test tool and it shows that it's supposed to generate an alert, but it just doesn't. can anyone help me in making these logs trigger alerts like they should?
Carlos Dams
Dec 7, 2022, 9:21:09 AM12/7/22
to Wazuh mailing list
Hi Moroni,
Thanks for using Wazuh!
Thanks for the screenshots, those are very helpful.
I noticed you have rule id 44733 in Telegram, could you search for this specific rule in Wazuh Web UI instead of using FortiAuth* and let me know if you find the same events you are receiving in Telegram?
You can enter the following in the Search bar of Security events: rule.id: 44733 or add it as a filter.
Let's see if Filebeat is working well, execute the following command from the shell where Wazuh is installed: filebeat test output
Provide me with the result of this
Finally, let's check the state of the shards, you can execute the following commands from the Web UI in Dev Tools:
- The number of shards that the installation currently has: GET /_cluster/stats?filter_path=indices.shards.total
- The maximum number of shards: GET /_cluster/settings?include_defaults=true&flat_settings=true&pretty=true&filter_path=defaults.cluster\.max_shards_per_node
All the previous steps will help us understand better the problem
Moroni Correia Santos
Dec 7, 2022, 10:38:55 AM12/7/22
to Wazuh mailing list
Hi Carlos, thanks for answering, here's the outputs to the tests you asked:
GET /_cluster/stats?filter_path=indices.shards.total:
GET /_cluster/settings?include_defaults=true&flat_settings=true&pretty=true&filter_path=defaults.cluster\.max_shards_per_node:
Searching for rule.id: 44733:
filebeat test output:
Carlos Dams
Dec 13, 2022, 8:41:19 AM12/13/22
to Wazuh mailing list
Hi Moroni,
Thanks,
Thanks again for the screenshots and I'm sorry for this late reply.
From what you sent everything seems ok, probably Filebeat is not ingesting the events to Wazuh Indexer for some reason so let's check that:
Execute on the Wazuh Manager host:
grep -nir ".Cannot index event*" /var/log/filebeat/ /var/log/messages
Also, from the Wazuh indexer host:
grep -nir ".Cannot index event*" /var/log/wazuh-indexer/
Let me know if the commands outputs any message related to the rule 44733 on the terminal.
You can share with me the following logs and I will take a look too.
- /var/log/filebeat/filebeat
- /var/log/messages (this depends on the OS)
- /var/log/wazuh-indexer/wazuh-cluster.log
Thanks,
Reply all
Reply to author
Forward
0 new messages