Wazuh DNS Resolution

[Nguyen Huy Tai Anh]

Hello everyone, i'm currently building a homelab SIEM using wazuh.

My set up now include 1 wazuh server, 2 wazuh indexer, 1 dashboard, and some agent running suricata ids.

We want to see the actual domain name instead of the destination ip and port for faster analysis

I'm wondering if there's a dns lookup tool built into wazuh or is there a configuration i can make to have dnslookup for example like in logstash: https://github.com/gregwjacobs/ElasticSuricata/blob/master/logstash_suricata_eve.conf

If you need any resources, please notify me, i'd be happy to cooperate

Thank you !
Tai Anh

[ismail....@wazuh.com]

Hi,

Wazuh does not have a built-in DNS lookup tool. You could pre-process your logs with a DNS lookup tool before forwarding them to Wazuh.

You can create a custom Python or Bash script that performs DNS lookups and adds the resolved domain names to your logs. The script should run periodically or as part of the log collection process to ensure that all IP addresses are resolved before they are forwarded to Wazuh.

If you are using Suricata it can be configured on it, for more detailed information on Suricata's DNS logging capabilities, you can refer to the official Suricata documentation link.

Hope this helps you. Please feel free to reach out to us if you have any issues.