I have set up a SIEM with two scans for my machines: an in-depth scan with Wazuh and a surface scan with an IDS/IPS, which is Suricata (I have configured Suricata on my pfSense machine). I would like both agents to report alerts on the same dashboard rather than on two separate ones. Currently, I can send my Suricata logs from my pfSense machine to an eve.json file on my Wazuh machine. I have configured my ossec.conf file to include the following:
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
Here is a portion of the logs received by my Wazuh machine:
pfsense.martin.domain suricata[83950]: {"timestamp":"2024-07-01T14:35:51.889510+0000","flow_id":2131567616827281,"in_iface":"vtnet3","event_type":"dns","src_ip":"10.95.95.12","src_port":65059,"dest_ip":"10.95.95.1","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":6946,"rrname":"ForestDnsZones.ad.lab","rrtype":"SOA","tx_id":0,"opcode":0}}
I then changed the rules in the suricata_rules.xml file to set the rule levels to 5 instead of 0. Despite this, I still do not have my Suricata alerts on my Wazuh dashboard, and I am unsure what to modify or add to achieve this. Could you provide guidance to help me resolve this issue? Thank you in advance for your response.