Wazuh architecture quiestion
172 views
Skip to first unread message
Kirill Golubenko
Feb 25, 2024, 5:08:16 AM2/25/24
to Wazuh | Mailing List
Hello team,
Best regards,
Kirill
I'm have been using Wazuh for a while and this is my current setup:
I'm thinking to improve this setup and add Greylog for log normalization. Also I want to integrate TI with MISP.
I checked some recomendations and I see that one the approaches is like this:
<Syslog> >>> <Wazuh manager> >>> <Greylog> >>> <MISP query> >>> <Wazuh Indexer>.
In that case they first create an alert and only after it do the log normalization and log enreachment.
My idea is vice versa, like this:
I checked some recomendations and I see that one the approaches is like this:
<Syslog> >>> <Wazuh manager> >>> <Greylog> >>> <MISP query> >>> <Wazuh Indexer>.
In that case they first create an alert and only after it do the log normalization and log enreachment.
My idea is vice versa, like this:
With this scenario I can filter all the events from Syslog and DB queries, remove fields, reformat filed names and only then send to Wazuh.
After that I can create Integrations with MISP and store data in the Indexer in th end.
Could you please share with me some best practicies to cover my goal.
After that I can create Integrations with MISP and store data in the Indexer in th end.
Could you please share with me some best practicies to cover my goal.
Best regards,
Kirill
Awwal Ishiaku
Feb 26, 2024, 11:05:55 AM2/26/24
to Wazuh | Mailing List
Hi Kirill,
Regards.
At first glance, I see that you have a Wazuh server cluster in you architecture with a load balancer, meaning that you expect huge volume of events.
My fear is that Graylog might be a bottleneck to your setup since it appears to be a single server in your architecture. You have to investigate further to ensure that the hardware resources allocated to Graylog or Logstash are enough to receive and forward enough logs to your Wazuh cluster to ensure appropriate utilization of the cluster resources.
Other than that concern, I believe you have an excellent approach.
You can also structure/normalize your log data in JSON format before forwarding to Wazuh. Wazuh has in-built JSON decoders so you don't need to create new decoders for other log formats which are currently not being decoded properly by Wazuh.
There are blog posts out there that show how to integrate Wazuh with MISP. For example, Wazuh And MISP Integration.
You can also make use of CDB lists with Wazuh. Regards.
Kirill Golubenko
Mar 4, 2024, 5:29:31 PM3/4/24
to Wazuh | Mailing List
Hello Awwal,
Thank you for your reply, it was pretty helpful.
I have one more quiestion.
In the wazuh instacnce I want to store not only alerts from host, but also for example firewall logs. This is the whole logs, so I don't actually need specific Wazuh rules for that.
In that case I want to write them directly to the OpenSearch, bypassing the decoders, which is not a problem, I guess.
But is it possible to query these events from the OpenSearch with wazuh and check them with integration plugins to generate a new alert?
For example, I will have a separate index with logs from firewall. I will not trigger wazuh everytime I have a new event, because it will be too much requests.
But Wazuh itself will query this Index to check external IP address. If IP address in the some kind of list (it can be send to MISP or CDB) then there will be a new alerts.
понедельник, 26 февраля 2024 г. в 17:05:55 UTC+1, Awwal Ishiaku:
Reply all
Reply to author
Forward
0 new messages