Wazuh not showing alerts on dashboard

[Satiswaran Selva Sakeram]

Hello team, i recently installed wazuh and i dont see any alerts on the alert tab, 

[Benjamin Nworah]

Hello Satiswaran,

Thank you for choosing Wazuh.
What documentation did you follow to setup your Wazuh deployment.?

Kindly navigate to Modules > Security events > Dashboard, and confirm you see alerts. 

I await your feedback.

Regards,

[Satiswaran Selva Sakeram]

Hello Benjamin, 

I followed the step by step installation provided by wazuh, 

When i navigate into  Modules > Security events > Dashboard, i dont see any events. Please refer to the screenshot below

I'm trying to alerts received from my firewall through syslog, i can confirm i'm receiving the syslog through this command: tail -f /var/ossec/logs/archives/archives.log, i've attached an image for your reference. 

Happy Weekend Ahead

Thanks & Regards 

Satis

[Benjamin Nworah]

Hello Satiswan,

Please share the link to the documentation. Do you have Wazuh agents in your Wazuh deployments.?

Please send the out of the following commands:

#filebeat test output
# systemctl status wazuh-manager

#systemctl status wazuh-indexer
#systemctl status wazuh-dashboard
#cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

#cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"

Also share with me the firewall logs in text file. I want to test the logs.

Regards,

[Satiswaran Selva Sakeram]

Hi Benjamin, 

Please find the requested logs

Documentation: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html

[Satiswaran Selva Sakeram]

Hi Benjamin, 

Yes, i do have few agents installed

[Benjamin Nworah]

Are the agents active and no events visible on the dashboard from these agents?

Regards

[Benjamin Nworah]

I still wait your feedback on my last comment.

[Benjamin Nworah]

Hello Satiswaran,

Kindly send the output of the below command

less /var/ossec/logs/alerts/alerts.log   ====> This should confirm if alerts are getting to the Wazuh deployment.

Please can you run the following commands:

systemctl restart wazuh-manager wazuh-indexer wazuh-dashboard

Please let me know if you see events on the dashboard after restarting these components.

Regards,

[Satiswaran Selva Sakeram]

Hi Benjamin, 

Apologies for the late reply, 

There is 1 active agent, but i dont see any events

[Satiswaran Selva Sakeram]

Hi Benjamin, 

Please find the attached document after running command  less /var/ossec/logs/alerts/alerts.log, i do see many alerts on this file. 

But after running all the commands to restart, i still do not see any alerts on the dashboard. 

Thanks and Regards, 
Satis

[Benjamin Nworah]

Hello Satiswaran,

Please I tested the Sophos log sample, and received an alert. Did you implement a single node or distributed architecture?

Send the output of these commands:

1. curl https://<WAZUH_INDEXER_IP>:9200/_cat/indices/wazuh-alerts-* -u <wazuh_indexer_user>:<wazuh_indexer_password> -k

Replace:
<WAZUH_INDEXER_IP> with the IP address of the indexer
<wazuh_indexer_user>  and <wazuh_indexer_password> are the indexer credentials.

2. less /etc/filebeat/wazuh-template.json

I await your feedback.
Regards,

[Satiswaran Selva Sakeram]

Hi Benjamin, 

Its a single node,

Please find the attached. when i run the first command i dont see any alerts

Regards, 

Satis

[Benjamin Nworah]

Hello Satiswaran,

Though the alerts are in /var/ossec/log/alerts/alerts.log, but they don't get to the Wazuh-indexer based on the last result you shared. Kindly run the below commands, I need to confirm the allocated RAM and disk space on your host.

1. free -h

2. df -h

3. cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"

Regards,

[Satiswaran Selva Sakeram]

Hi Benjamin, 

Please find the attached document requested

Thanks for checking.

Regards,

Satis

[Benjamin Nworah]

Please run the below commands:

1. /usr/share/wazuh-indexer/bin/indexer-security-init.sh

2. systemctl restart wazuh-manager wazuh-indexer wazuh-dashboard


After the running the commands, check the alerts via the dashboard.

Regards,

[Satiswaran Selva Sakeram]

Hi Benjamin, 

Ran both commands, but still dont see the alerts on the dashboard.

Regards,

Satis

[Satiswaran Selva Sakeram]

Hi Benjamin, 

I can now view the events from dashboard after i restarted my entire VM.

Also, since i will be forwarding multiple fw logs to this wazuh server, can i have multiple tenant but assigned that tenant to view events from only a certain firewall.

Eg: System department user can only view system department's firewall events and alerts.

Thanks
Satis

[Benjamin Nworah]

Hello Satiswaran,

Glad to hear it is working now.

Regarding your question on multi-tenancy, you can achieve this use case, if the logs are coming from a group of Wazuh agents as described in this documentation.
https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#use-case-give-a-user-permissions-to-read-and-manage-a-group-of-agents.

Regards,

[Satiswaran Selva Sakeram]

Hi Benjamin, 

I dont think that works because all the syslog is collected by the manager right, is there a way i can split to view different firewall alerts.

Will creating a new dashboard for each firewall work ? i can see the firewall ip if i filter by "location" 

Thanks 

Satis

[Benjamin Nworah]

Hello Satiswaran,

You can use Wazuh agent to receive syslog messages, and then forward same messages to the Wazuh server for analysis, this documentation https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html explains how to achieve this. So in your case, you might want to forward logs from Firewall A to a Wazuh agent (in agent group A), and forward logs from Firewall B to another Wazuh agent (in agent group B). You can see this documentation to learn about agent grouping https://documentation.wazuh.com/current/user-manual/agent/agent-management/grouping-agents.html#grouping-agents. Once this is done, you can then follow the below documentation to segregate the firewall alerts based on the agent group and user role.

https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#use-case-give-a-user-permissions-to-read-and-manage-a-group-of-agents

Regards,
 

[Satiswaran Selva Sakeram]

Hi Benjamin, 

Apologies for the delayed response. 

I took your advice to install an agent on an endpoint that collects the firewall logs via logstash and push it through the agent, but since like everything is working but i dont see the alerts generated from the agent installed on the endpoint.

Attached logs for your reference

Regards,
Satis

[Benjamin Nworah]

Hello Satiswaran,

Kindly confirm the following:

1.  Firewall logs exist in  C:\logstash\logs\KLFirewall.log.

2. is the agent active from the Wazuh dashboard.

3. Firewall logs are getting to /var/ossec/logs/archives/archives.log on your Wazuh.

Regards,

[Satiswaran Selva Sakeram]

Hi Benjamin, 

Please find the attached, yes the log file exist and the agent is active, i also can see the firewall logs getting to  /var/ossec/logs/archives/archives.log

Thanks & Regards,

[Benjamin Nworah]

Hello Satiswaran,

You need to add the below configuration between <ossec_config></ossec_config> in   C:\Program Files (x86)\ossec-agent\ossec.conf file of the Wazuh agent.

<localfile>
   <log_format>syslog</log_format>
   <location> C:\logstash\logs\KLFirewall.log  </location>
</localfile>

After that, restart the Wazuh agent to apply the changes (via PowerShell).

Restart-Service Wazuh

Regards

[Satiswaran Selva Sakeram]

Hi Benjamin,

Apologies for the delayed response, 

I'm not able see the event yet, the config that you mentioned above already exists.

Thanks,
Satis

[Satiswaran Selva Sakeram]

Hi Benjamin, 

Just checking in to see if you have an update for me on the reported issue

Thanks 

Satis

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/7T_KdJh--Uc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/aa309fde-c3cd-441d-9f14-5e2df5e0bb34n%40googlegroups.com.

[Benjamin Nworah]

Hello Satiswaran,

You confirmed that the firewall logs are getting to archives.log, but are not available on the dashboard. Please send me some sample logs for me to test.

Regards,

[Satiswaran Selva Sakeram]

Hi Benjamin,

Please find attached logs, one from archives and one from logstash.

Thanks, 
Satis

[Benjamin Nworah]

Hello Satiswaran,

I tested few of the logs, and it appears that there are no decoders for these logs ( see below). You will have to create decoders and rules for these logs. Also I only see logs that contains icmp error message.  Kindly run the below command to filter for all the firewall logs.

less /var/ossec/logs/archives/archives.log | grep -i klfirewall

Decoder syntax ==> https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html#prematch

[root@wazuh-server ~]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.7.2
Type one log per line

2024-05-14T02:20:11.695727300Z {ip=192.168.61.1} <29>device_name="SFW" timestamp="2024-05-14T10:00:33+0800" device_model="XG106" device_serial_id="C1C0B9V2PKPCGD1" log_id="018201500005" log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" log_version=1 severity="Notice" fw_rule_id="5" fw_rule_name="Internet Access" fw_rule_section="Local rule" nat_rule_id="3" nat_rule_name="fw#5_migrated_NAT_Rule" fw_rule_type="USER" web_policy_id=4 ips_policy_id=3 ether_type="IPv4 (0x0800)" in_interface="Port2_ppp" src_ip="10.55.48.16" src_country="R1" dst_ip="175.136.252.61" dst_country="MYS" protocol="ICMP" icmp_type=11 src_zone_type="LAN" src_zone="LAN" con_event="Interim" con_id="3497784130" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port2_ppp" log_occurrence="1"

**Phase 1: Completed pre-decoding.
        full event: '2024-05-14T02:20:11.695727300Z {ip=192.168.61.1} <29>device_name="SFW" timestamp="2024-05-14T10:00:33+0800" device_model="XG106" device_serial_id="C1C0B9V2PKPCGD1" log_id="018201500005" log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" log_version=1 severity="Notice" fw_rule_id="5" fw_rule_name="Internet Access" fw_rule_section="Local rule" nat_rule_id="3" nat_rule_name="fw#5_migrated_NAT_Rule" fw_rule_type="USER" web_policy_id=4 ips_policy_id=3 ether_type="IPv4 (0x0800)" in_interface="Port2_ppp" src_ip="10.55.48.16" src_country="R1" dst_ip="175.136.252.61" dst_country="MYS" protocol="ICMP" icmp_type=11 src_zone_type="LAN" src_zone="LAN" con_event="Interim" con_id="3497784130" hb_status="No Heartbeat" app_resolved_by="Signature" app_is_cloud="FALSE" qualifier="New" in_display_interface="Port2_ppp" log_occurrence="1"'
        timestamp: '2024-05-14T02:20:11.695727300Z '

**Phase 2: Completed decoding.
        No decoder matched.

**Phase 3: Completed filtering (rules).
        id: '1002'
        level: '2'
        description: 'Unknown problem somewhere in the system.'
        groups: '['syslog', 'errors']'
        firedtimes: '1'
        gpg13: '['4.3']'
       

[Satiswaran Selva Sakeram]

Hi Benjamin,

Attached requested logs, also i just tested sending the syslog directly to wazuh server instead of using an agent and i can see the security alerts, do i still need a decorder ?

Thanks,
Satis 

[Benjamin Nworah]

Dear Satiswaran,

Thank you for the logs. After carefully examining the logs and the default sophos decoders ( located in /var/ossec/ruleset/decoders/0510-sophos_fw_decoders.xml), the default parent sophos decoder is not matching any of your log because it starts with the statement ^device ( see below), which is not the case for your logs from the klfirewall log file you shared.

Default sophos fw decoder
======================
<decoder name="sophos-fw">
  <prematch>^device="\w*"\s+date=\d+-\d+-\d+\s+time=</prematch>
</decoder>

 I have modified the default sophos decoder and rules to match your logs. Kindly follow the below steps to add the modified sophos decoders and rules to your Wazuh deployment.

1- Create a file klfirewall_decoders.xml in /var/ossec/etc/decoders/ and add the decoders ( see attached file) inside the newly created file:

2. Create a file klfirewall_rules.xml in /var/ossec/etc/rules and add the rules ( see attached file ) inside the newly created file:

3. Finally restart the Wazuh manager by running the below command:

systemctl restart wazuh-manager

 I tested some of the logs using Wazuh-logtest, and this works for me. One example of the tests is shown below.

Starting wazuh-logtest v4.7.2
Type one log per line

2024-05-15T02:55:16.510104700Z {ip=192.168.61.1} <29>device="SFW" date=2024-05-15 time=10:35:37 timezone="+08" device_name="XG106" device_id=C1C0B9V2PKPCGD1 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=5 fw_rule_name="Internet Access" fw_rule_section="Local rule" nat_rule_id=3 nat_rule_name="fw#5_migrated_NAT_Rule" policy_type=1 sdwan_profile_id_request=0 sdwan_profile_name_request="" sdwan_profile_id_reply=0 sdwan_profile_name_reply="" gw_id_request=0 gw_name_request="" gw_id_reply=0 gw_name_reply="" sdwan_route_id_request=0 sdwan_route_name_request="" sdwan_route_id_reply=0 sdwan_route_name_reply="" user_name="" user_gp="" iap=4 ips_policy_id=3 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=IPv4 (0x0800) bridge_name="" bridge_display_name="" in_interface="Port2_ppp" in_display_interface="Port2_ppp" out_interface="" out_display_interface="" src_mac= dst_mac= src_ip=72.14.214.196 src_country_code=USA dst_ip=175.136.252.61 dst_country_code=MYS protocol="ICMP" icmp_type=11 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2228086869" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 log_occurrence=1 flags=0

**Phase 1: Completed pre-decoding.
        full event: '2024-05-15T02:55:16.510104700Z {ip=192.168.61.1} <29>device="SFW" date=2024-05-15 time=10:35:37 timezone="+08" device_name="XG106" device_id=C1C0B9V2PKPCGD1 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=5 fw_rule_name="Internet Access" fw_rule_section="Local rule" nat_rule_id=3 nat_rule_name="fw#5_migrated_NAT_Rule" policy_type=1 sdwan_profile_id_request=0 sdwan_profile_name_request="" sdwan_profile_id_reply=0 sdwan_profile_name_reply="" gw_id_request=0 gw_name_request="" gw_id_reply=0 gw_name_reply="" sdwan_route_id_request=0 sdwan_route_name_request="" sdwan_route_id_reply=0 sdwan_route_name_reply="" user_name="" user_gp="" iap=4 ips_policy_id=3 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" vlan_id="" ether_type=IPv4 (0x0800) bridge_name="" bridge_display_name="" in_interface="Port2_ppp" in_display_interface="Port2_ppp" out_interface="" out_display_interface="" src_mac= dst_mac= src_ip=72.14.214.196 src_country_code=USA dst_ip=175.136.252.61 dst_country_code=MYS protocol="ICMP" icmp_type=11 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2228086869" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 log_occurrence=1 flags=0'
        timestamp: '2024-05-15T02:55:16.510104700Z '

**Phase 2: Completed decoding.
        name: 'klfirewall'
        appfilter_policy_id: '0'
        application_risk: '0'
        appresolvedby: 'Signature'
        connevent: 'Interim'
        connid: '2228086869'
        date: '2024-05-15'
        device: 'SFW'
        device_id: 'C1C0B9V2PKPCGD1'
        device_name: 'XG106'
        dst_country_code: 'MYS'
        dst_ip: '175.136.252.61'
        dst_port: '0'
        duration: '0'
        fw_rule_id: '5'
        hb_health: 'No Heartbeat'
        iap: '4'
        in_interface: 'Port2_ppp'
        ips_policy_id: '3'
        log_component: 'ICMP ERROR MESSAGE'
        log_id: '018201500005'
        log_subtype: 'Allowed'
        log_type: 'Firewall'
        name: 'XG106'
        policy_type: '1'
        priority: 'Notice'
        protocol: 'ICMP'
        recv_bytes: '0'
        recv_pkts: '0'
        sent_bytes: '0'
        sent_pkts: '0'
        sophos_fw_status_msg: 'Allow'
        src_country_code: 'USA'
        src_ip: '72.14.214.196'
        src_port: '0'
        srczone: 'LAN'
        srczonetype: 'LAN'
        th: 'No Heartbeat'
        time: '10:35:37'
        timezone: '+08'
        tran_dst_port: '0'
        tran_src_port: '0'

**Phase 3: Completed filtering (rules).

        id: '700220'
        level: '3'
        description: 'Traffic Allowed: from 72.14.214.196 to 175.136.252.61'
        groups: '['klfirewall']'
        firedtimes: '1'
        mail: 'False'
**Alert to be generated.

Please let me know if this works for you.

Regards,

[Satiswaran Selva Sakeram]

Hi Benjamin, 

Thank you so much for the effort, it works now after adding the decoder and rules. 

Since now i have two other tenants, how do i assign the agent to specific tenants?, i had created a separate group for the agent but can't find how to assigned that group to the tenant.

Thanks, 
Satis

[Benjamin Nworah]

Dear Satiswaran,

Please see the below documentation. 

https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#use-case-give-a-user-permissions-to-read-and-manage-a-group-of-agents

Let me know if this helps.

Regards,