Suricata integration
1,957 views
Skip to first unread message
Jonathan Nuñez
Mar 30, 2020, 9:24:38 PM3/30/20
to Wazuh mailing list
Hi guys, I try to understand this lab https://documentation.wazuh.com/3.12/learning-wazuh/suricata.html, an ELK Server is required, a linux-agent with suricata, my scenario is a server where I have installed ELK, KIBANA and WAZUH, additional to my sacenario do I have to install an ELK server? how can I get my linux-agent with suricata to work on my scenario?
Regards,
Jonathan.
Regards,
Jonathan.
Robin Costas
Mar 31, 2020, 4:50:34 AM3/31/20
to Wazuh mailing list
Hello Jonathan Nuñez,
If you don't mind sharing some more information, let me ask some questions in order to see if I understood your issue.
You have an ELK server in which you have also installed Wazuh. On one of your agents you have installed Suricata and want to send its logs to the manager.
Which part is not working? Is Suricata correctly installed and working? Which part of https://documentation.wazuh.com/3.12/learning-wazuh/suricata.html is causing you problems?
Thanks for reaching us out!
Best regards,
Robin.
Jonathan Nuñez
Mar 31, 2020, 11:32:25 AM3/31/20
to Wazuh mailing list
Hello Robin, Thank you for the respond,
My scenario is: on a server I have Wazuh Manager + ELK + KIBANA + Filebeat installed. On another Linux-Agent server installed "suricata". The question can I work with this scenario?
Because in LAB they mention that you must have an additional ELK Server to be able to integrate it into the "linux" group and that additional you have to install suricata in the linux-agent and in the ELK.
Because in LAB they mention that you must have an additional ELK Server to be able to integrate it into the "linux" group and that additional you have to install suricata in the linux-agent and in the ELK.
Set up Suricata on both elastic-server and linux-agent
On both agents as root, install Suricata and its dependencies, along with the Emerging Threats Open ruleset.
You would be so kind as to guide me to be able to integrate Suricata to Wazuh.
Regards,
Jonathan.
Robin Costas
Apr 1, 2020, 10:08:03 AM4/1/20
to Wazuh mailing list
Hello Jonathan Nuñez,
Answering your first question, yes, Suricata can work with your deployment without problems.
In the Lab, they use an example with a Linux agent and an Elastic server. This does not mean that you have to deploy these for Suricata to work with Wazuh. In order to integrate Wazuh and Suricata the main steps are:
1. Installing Suricata and Wazuh Agent on the machine you want to monitor:
You already have done this, but I will leave the link here anyway in case someone needs it: https://documentation.wazuh.com/3.12/learning-wazuh/suricata.html#set-up-suricata-on-both-elastic-server-and-linux-agent.
2. Making the Wazuh Agent collect the logs from Suricata.
Add the following lines to the ossec.conf of your wazuh-agent:
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>Once this is done, restart your Wazuh agent and everything should be working. Please keep in mind there are several extra steps in this Lab that are useful for understanding how wazuh works, show its capabilities and making sure everything is working as intended, they are not necessary, but I recommend you have a look at them.
To summarize, it does not matter the deployment you have, you only need a working Wazuh Manager, installing Suricata and Wazuh Agent on the machine to monitor, and making the Wazuh Agent collect the logs.
Please tell me if you run into any troubles or need a more detailed explanation.
Best regards,
Robin.On Tuesday, March 31, 2020 at 3:24:38 AM UTC+2, Jonathan Nuñez wrote:
Reply all
Reply to author
Forward
0 new messages