Severity 12 Alert not Triggering
161 views
Skip to first unread message
John Carry
Dec 23, 2022, 11:09:53 AM12/23/22
to Wazuh mailing list
Hello Wazuh Team,
Please understand my scenario first: Today whole day I was working on Health check script and customizing as per my environment.
Both the scripts worked well and created its log entry on provided log file, but the problem is not with second script "Used to monitor wazuh server resources like RAM,CPU and disk" worked well and triggered level 12 alert on both CLI and GUI when ever it meet my provided condition.
But the problem was with script 1 which was used to monitor critical wazuh services by checking their PIDs, the script worked well but it didn't triggered level 12 alert neither on CLI and GUI, the weird thing is that manually testing the log matches the rule (Have attached SC).
I am attaching the relevant snapshots for your reference, you are requested to please go through it and help why is it nor triggering as both the scripts are same to some level.
Ossec.conf Configuration:
Luis Daniel Avendaño Larios
Dec 23, 2022, 12:08:07 PM12/23/22
to Wazuh mailing list
Hello John,
Thanks for using wazuh!
First of all, we need to verify that the log in the file /health.json looks the same way as in wazuh-logtest (first screenshot). In case the log is generating correctly we will need to check if the log is ingested by the manager, for this we will need to activate <logall_json> (changing no with yes) in the ossec.conf in the manager (you must restart the wazuh-manager service to apply the changes) to see in archives every log reaching the manager and also what it is doing with each log. Once you have activated logall_json you can see new logs arriving at the manager with the tail command:
tail -f /var/ossec/logs/archives/archives.json
Also, you can grep there for specific data.
After making these tests you may turn off <logall_json>, since this file may consume a considerable quantity of disk space.
Let us know how the results of these tests went.
Regards,
Luis Avendaño.
Thanks for using wazuh!
First of all, we need to verify that the log in the file /health.json looks the same way as in wazuh-logtest (first screenshot). In case the log is generating correctly we will need to check if the log is ingested by the manager, for this we will need to activate <logall_json> (changing no with yes) in the ossec.conf in the manager (you must restart the wazuh-manager service to apply the changes) to see in archives every log reaching the manager and also what it is doing with each log. Once you have activated logall_json you can see new logs arriving at the manager with the tail command:
tail -f /var/ossec/logs/archives/archives.json
Also, you can grep there for specific data.
After making these tests you may turn off <logall_json>, since this file may consume a considerable quantity of disk space.
Let us know how the results of these tests went.
Regards,
Luis Avendaño.
John Carry
Dec 24, 2022, 2:20:40 AM12/24/22
to Wazuh mailing list
Hello luis,
Alerts.json file is also not showing any results:
Thanks for your support, literally I am still unable to understand how-come wazuh is not able to detect level 12 alert when everything is fine due to the fact exactly same script is been placed and working absolutely fine. BTW I have followed your instruction and pasted below results.
I would again request to take this issue on high priority because if wazuh have such bugs then it is quite alarming for infosec industry where large count of organizations are relying on Wazuh for securing their critical infrastructure.
This is actual script block that is problematic:
Script-Test when syscheckd service is killed and log received on health.json file which is exactly same with the wazuh-logtest screenshot shared earlier.
After enabling logall_json to yes, tested the script 3 times, below is again the result of health.json file.
Output of archives.json file where all the logs are observed but not the actual one which is problematic the one where the message is "healthy":attempting_restart" is not received.
Alerts.json file is also not showing any results:
Regards,
John Carry
John Carry
Dec 25, 2022, 11:48:06 PM12/25/22
to Wazuh mailing list
Hello luis,
Looking forward for your response.
Regards,
John
Luis Daniel Avendaño Larios
Jan 5, 2023, 4:37:12 PM1/5/23
to Wazuh mailing list
Hello John,
I'm sorry for not getting back to you sooner.
Could you share a sample of the health.json file that includes the attempting_restart field? Also, could you share with me the ruleset you are working on and the version of wazuh you are currently running?
I remain attentive to your response.
Regards,
Luis Avendaño.
I'm sorry for not getting back to you sooner.
Could you share a sample of the health.json file that includes the attempting_restart field? Also, could you share with me the ruleset you are working on and the version of wazuh you are currently running?
I remain attentive to your response.
Regards,
Luis Avendaño.
Reply all
Reply to author
Forward
0 new messages