How to add a host server to wazuh dashboard
333 views
Skip to first unread message
Jithin Davis
Feb 24, 2022, 5:20:30 AM2/24/22
to Wazuh mailing list
Hi
\can you let me know the steps to add a host server(were manager is installed) to the dashboard. This is a linux(ubuntu server).We are able to add additional servers in the network, but unable to add the hostserver to the wazuh dashboard.
Is it possible?
Thanks
\can you let me know the steps to add a host server(were manager is installed) to the dashboard. This is a linux(ubuntu server).We are able to add additional servers in the network, but unable to add the hostserver to the wazuh dashboard.
Is it possible?
Thanks
Christian Bassey
Feb 25, 2022, 1:52:30 AM2/25/22
to Wazuh mailing list
Hi Jithin,
Thank you for using Wazuh!
The server where the manager is installed is already added to the Wazuh dashboard. Security events and other data for it can be found by filtering for the agent ID 000 on the Wazuh dashboard.
I hope this helps. Best.
Thank you for using Wazuh!
The server where the manager is installed is already added to the Wazuh dashboard. Security events and other data for it can be found by filtering for the agent ID 000 on the Wazuh dashboard.
I hope this helps. Best.
Christian Bassey
Feb 25, 2022, 10:48:21 AM2/25/22
to Wazuh mailing list
Hi Jithin,
Please navigate to modules > security events.
Please navigate to modules > security events.
- Switch from the dashboard tab to the events tab.
- On the left hand side, you would see options you can filter by.
- Scroll to the agents.id option and click on it. You would see all your agent IDs and the ID 000. Select it to view your manager events.
Best.
Best.
Christian Bassey
Mar 1, 2022, 8:43:02 AM3/1/22
to Wazuh mailing list
Hi Jithin,
You can also add a filter, select the field to filter by as agent.id and its value is 000
Best.
You can also add a filter, select the field to filter by as agent.id and its value is 000
Best.
Jithin Davis
Mar 1, 2022, 9:11:24 AM3/1/22
to Wazuh mailing list
Hi Christian
Thanks for the reply
But still unable to see the values by filteringThanks for the reply
I have checked this via backend too
I can see the 000 is available in agent_control list (please see the screenshot) Is there any way to add the same to available agents, Please see the screenshot below
Thanks
Christian Bassey
Mar 2, 2022, 5:50:20 AM3/2/22
to Wazuh mailing list
Hi Jithin,
What version of Wazuh are you running?
Additionally you can try to filter by the hostname of your Wazuh server.
What version of Wazuh are you running?
Additionally you can try to filter by the hostname of your Wazuh server.
Jithin Davis
Mar 2, 2022, 7:32:28 AM3/2/22
to Wazuh mailing list
Hi Christian,
Thanks for the reply,
I have filtered using the "agent_name" but still there is no values, Please see the screenshot attached
The version details is listed below
WAZUH_VERSION="v4.2.1"
Kibana version: "version": "7.10.2",
Any help would be appreciated.
Thanks
Thanks for the reply,
I have filtered using the "agent_name" but still there is no values, Please see the screenshot attached
The version details is listed below
WAZUH_VERSION="v4.2.1"
Kibana version: "version": "7.10.2",
Any help would be appreciated.
Thanks
Christian Bassey
Mar 2, 2022, 8:41:51 AM3/2/22
to Wazuh mailing list
Hi Jithin,
What sort of architecture are you running?
Is this a fresh install of 4.2.1?
Can I see your ossec.conf? (please remove all sensitive information before sending it.)
Additionally, Please try to generate an event against the manager e.g failed SSH authentication and grep for its alert.
tail -f /var/ossec/logs/alerts/alerts.json | grep \"id\":\"000\"
What sort of architecture are you running?
Is this a fresh install of 4.2.1?
Can I see your ossec.conf? (please remove all sensitive information before sending it.)
Additionally, Please try to generate an event against the manager e.g failed SSH authentication and grep for its alert.
tail -f /var/ossec/logs/alerts/alerts.json | grep \"id\":\"000\"
Jithin Davis
Mar 2, 2022, 9:31:25 AM3/2/22
to Wazuh mailing list
Hi Christian
I have tried to generate an alert but its not showing while checking the logs, attaching screenshot
I can see all the results of attached servers
can't see any data of hostserver, Is there anything needs to be add on the ossec.conf file?
Note: I have forwarded the ossec.conf file in your personal wall
ANy help would be really appreciated
Thanks
I have tried to generate an alert but its not showing while checking the logs, attaching screenshot
I can see all the results of attached servers
can't see any data of hostserver, Is there anything needs to be add on the ossec.conf file?
Note: I have forwarded the ossec.conf file in your personal wall
ANy help would be really appreciated
Thanks
Christian Bassey
Mar 3, 2022, 5:48:12 AM3/3/22
to Wazuh mailing list
Hi Jithin,
I saw the configuration file. I replied, but in the event you did not get that, the reply is below:
I saw the configuration file. I replied, but in the event you did not get that, the reply is below:
Hi Jithin,
Please lower the log alert level to 3, restart the manager and try to generate multiple failed ssh authentication alerts. I want to confirm that the reason why you are not seeing alerts from the manager is not because the alerts generated are lower than the log_alert_level threshold.
Change
<log_alert_level>8</log_alert_level>
to
<log_alert_level>3</log_alert_level>
Please lower the log alert level to 3, restart the manager and try to generate multiple failed ssh authentication alerts. I want to confirm that the reason why you are not seeing alerts from the manager is not because the alerts generated are lower than the log_alert_level threshold.
Change
<log_alert_level>8</log_alert_level>
to
<log_alert_level>3</log_alert_level>
Jithin Davis
Mar 3, 2022, 9:13:42 AM3/3/22
to Wazuh mailing list
Hi Christian,
I really appreciate your kindness for following-up.
As per your suggestion, i have changed the log_alert_level value and tried a ssh authentication failure. I can see now the logs are generating in the alert.json file using the following command
Please see the screenshot
But still there are no alerts generated in the dashboard, i have filtered again using agent_name and agent_id
Thanks
I really appreciate your kindness for following-up.
As per your suggestion, i have changed the log_alert_level value and tried a ssh authentication failure. I can see now the logs are generating in the alert.json file using the following command
tail -f /var/ossec/logs/alerts/alerts.json | grep \"id\":\"000\"
Please see the screenshot
But still there are no alerts generated in the dashboard, i have filtered again using agent_name and agent_id
Thanks
Christian Bassey
Mar 4, 2022, 2:20:47 AM3/4/22
to Wazuh mailing list
Hi Jithin,
It looks like alerts are being generated but are not getting sent to elasticsearch. Please run the commands below on the Wazuh manager and provide the output so we can see the status of filebeat.
systemctl status filebeat
filebeat test output
It looks like alerts are being generated but are not getting sent to elasticsearch. Please run the commands below on the Wazuh manager and provide the output so we can see the status of filebeat.
systemctl status filebeat
filebeat test output
Jithin Davis
Mar 4, 2022, 10:49:55 AM3/4/22
to Wazuh mailing list
Hi Christian,
Thanks for the reply
filebeat service showing as activeThanks for the reply
I can see that the alerts are showing now for the hostserver,
Seems like changing <log_alert_level> fixed the issue
Thank you very much for your help...
However, can you let me know what could've caused this issue?
Once again thanks for your support
Regards
Jithin
Christian Bassey
Mar 7, 2022, 1:59:40 AM3/7/22
to Wazuh mailing list
Hi Jithin,
Glad to know you can see alerts for the host server now.
The <log_alert_level> specifies the minimum level an alert should be for it to be sent to elasticsearch. In your case, the level was 8.
I took a look at a hostserver in my lab and realized that under normal operation, the alerts from it were all under 8 which is why I suggested you modify the log alert level.
Glad to know you can see alerts for the host server now.
The <log_alert_level> specifies the minimum level an alert should be for it to be sent to elasticsearch. In your case, the level was 8.
I took a look at a hostserver in my lab and realized that under normal operation, the alerts from it were all under 8 which is why I suggested you modify the log alert level.
Best.
Jithin Davis
Mar 7, 2022, 2:11:23 AM3/7/22
to Wazuh mailing list
Hi Christian
Thanks for your reply
Is it advisable to keep the alert level 3?
Will it affect other servers?
Thanks
Thanks for your reply
Is it advisable to keep the alert level 3?
Will it affect other servers?
Thanks
Christian Bassey
Mar 7, 2022, 2:19:38 AM3/7/22
to Wazuh mailing list
Alert level 3 is the default alert level Wazuh uses. I suggest you take a look at the alert level classification here and decide what minimum alert level will fit your environment.
Reply all
Reply to author
Forward
0 new messages