Not able to view suricata logs on wazuh .

694 views
Skip to first unread message

Chappie uploads

unread,
Jan 6, 2024, 10:03:00 PM1/6/24
to Wazuh | Mailing List
Hello team , 
i have recently installed wazuh on a Linux distro ( ubuntu 22) and the agent along with Suricata on ( ubuntu 20 ) , i am able to view the logs on eve. Json file but after following the instruction through Network IDS integration - Proof of Concept guide · Wazuh documentation i am not able to see any alerts related to Suricata on my wazuh dashboard.


this is my dashboard :

Screenshot 2024-01-05 164617.png
Screenshot 2024-01-05 165037.png

Md. Nazmur Sakib

unread,
Jan 7, 2024, 11:44:48 PM1/7/24
to Wazuh | Mailing List

Hi Chappie,


Hope you are doing well. Thank you for using Wazuh.


Can you share the output of this command


cat /var/log/suricata/suricata.log | grep -i -E "Error"


tail -n 20 /var/log/suricata/suricata.log

From the endpoint where you have installed Suricata.


Also share the output of this command from Wazuh manager to find for there is any relevant error log in ossec.log


cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"


Let me know the update on the issue.


Regards

Md. Nazmur Sakib

Chappie uploads

unread,
Jan 10, 2024, 7:07:52 AM1/10/24
to Wazuh | Mailing List
Hello team ,
any update on this ?

Md. Nazmur Sakib

unread,
Jan 11, 2024, 5:20:25 AM1/11/24
to Wazuh | Mailing List

Hi Chappie,


To help me find the root cause.


Can you share the output of this command


cat /var/log/suricata/suricata.log | grep -i -E "Error"


tail -n 20 /var/log/suricata/suricata.log

From the endpoint where you have installed Suricata.


Also share the output of this command from Wazuh manager to find for there is any relevant error log in ossec.log


cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"




Regards

Md. Nazmur Sakib

Chappie uploads

unread,
Jan 12, 2024, 8:02:15 AM1/12/24
to Wazuh | Mailing List
Hello nazmur , i did send you the logs in your personal email addresss , apologies for that here are the screenshot you asked for .


the first two screenshot are from the agent side and the last one is from the manager side which only displays only one error log
Screenshot 2024-01-12 134756.png
Screenshot 2024-01-12 134843.png
Screenshot 2024-01-12 134740.png

Md. Nazmur Sakib

unread,
Jan 15, 2024, 3:43:15 AM1/15/24
to Wazuh | Mailing List

Hi Chappie,


Hope you are doing well today. Sorry for the late response.



- <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device

- <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error

- <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed


This indicates that the  interface is not configured correctly. interface represents the network interface you want to monitor. Replace the value with the interface name of the Ubuntu endpoint. For example, enp0s1.




To solve this issue, check the name of your network interface and configure it accordingly in the /etc/sysconfig/suricata and /etc/suricata/suricata.yaml files.


# Linux high speed capture support

af-packet:


 - interface: enp0s3


I hope this solves your issue. Let me know if you need any further help.


Regards

Md. Nazmur Sakib

Chappie uploads

unread,
Jan 15, 2024, 7:23:28 AM1/15/24
to Md. Nazmur Sakib, Wazuh | Mailing List
Hello Nazmur ,

If you see the error log date and time that's very old I did change the name and I was able to receive the logs on the eve.json file however I am not able to view anything on the wazuh dashboard that's the reason I raise this ticket.
I have seen suricata dashboard automatically pops up the int wazuh dashboard when you add the configuration,   on my side there's nothing I can see on the dashboard.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/4iEzz57tTlw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6a77b168-1c5b-425e-9fc5-62b216e324f1n%40googlegroups.com.

Md. Nazmur Sakib

unread,
Jan 15, 2024, 7:35:46 AM1/15/24
to Wazuh | Mailing List

Hi Chappie,


Have you added the configuration in agent’s ossec.conf or agent group configuration?


 <localfile>

    <log_format>json</log_format>

    <location>/var/log/suricata/eve.json</location>

  </localfile>


If you are  still facing the issue, also share the current output of this command.

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"


Let me know the update on the issue.


Regards

Md. Nazmur Sakib

Chappie uploads

unread,
Jan 15, 2024, 2:24:35 PM1/15/24
to Wazuh | Mailing List
Hello Nazmur , 
yes i have added the configuration already - also the  screenshot you asked for ,only display's one error "2024/01/16 00:27:05 wazuh-analysisd: ERROR: Too many fields for JSON decoder."

attached is the screenshot for reference :
Screenshot 2024-01-16 002657.png
Screenshot 2024-01-16 002730.png

Md. Nazmur Sakib

unread,
Jan 15, 2024, 11:05:10 PM1/15/24
to Wazuh | Mailing List

Hi Chappie,


The JSON decoder extracts each field from the log data for comparison against the rules for Suricata log. 

It seems that the problem comes from a log with too many fields.

In the internal_options file, you can modify the maximum number of fields in a decoder.

Can you edit the /var/ossec/etc/internal_options.conf file and modify this entry? ~30 line


 # Maximum number of fields in a decoder (order tag) [32..1024] analysisd.decoder_order_size=256


Can you change the value to 1024?. 


Remember to restart the manager to apply this configuration. 


If you want to see more information about this file, you can consult it here:

https://documentation.wazuh.com/current/user-manual/reference/internal-options.html


Regards

Md. Nazmur Sakib

Reply all
Reply to author
Forward
0 new messages