Wazuh Archives Logs | Dashboard
1,843 views
Skip to first unread message
John Carry
Feb 9, 2023, 8:01:34 AM2/9/23
to Wazuh mailing list
Dear Wazuh Team,
Hopefully you are doing well, Is there a way can we view archives or Non-alert events on Wazuh UI? Basically I am relating it with other SIEMs like Splunk and Qradar as they provide separate Tab to threat-hunt among repository of archives logs?
Message has been deleted
Guido Iván García
Feb 9, 2023, 12:27:19 PM2/9/23
to Wazuh mailing list
Hi John, thanks for using Wazuh!!
Yes, you can view archives in the Wazuh UI.
By default Wazuh only writes the logs that triggered an alert to the file alerts.json and discards those that did not. When we enable the <logall> option it stores all events even if they do not match a rule in the /var/ossec/logs/archives/archives.json.
You can find more information about archives in the following documentation link:
Wazuh - Alerts and archives
Below is a step-by-step procedure to do what you need:
1. Configure logging of all events in Wazuh managers:
The following configuration needs to be done on the Wazuh manager. In the case of having a cluster of Wazuh managers, this configuration needs to be done on all nodes.
Configure logall_json output in "/var/ossec/etc/ossec.conf"
Configure Wazuh Filebeat module to read both alerts and archives. This setting can be found in the "/etc/filebeat/filebeat.yml" file:
3. Create a new index-pattern:
On Wazuh Dashboard:
a. Go to Management -> Stack Management -> Index Patterns
b. Click on Create index pattern
c. For the index pattern name choose wazuh-archives-* and click on Next step
d. For the timestamp field choose timestamp (be careful not to choose @timestamp instead)
e. Click on Create index pattern
.png?part=0.5&view=1)
.png?part=0.1&view=1)
4. Browse through indexed data:
On OpenSearch Dashboards, under the Discover section choose index pattern wazuh-archives-* instead of wazuh-alerts-*
.png?part=0.4&view=1)
You will now be able to see archives from the Wazuh UI
I hope this helps. Let me know if you have any specific questions or if there is anything else I can do to help.
Regards,
Guido
Yes, you can view archives in the Wazuh UI.
By default Wazuh only writes the logs that triggered an alert to the file alerts.json and discards those that did not. When we enable the <logall> option it stores all events even if they do not match a rule in the /var/ossec/logs/archives/archives.json.
You can find more information about archives in the following documentation link:
Wazuh - Alerts and archives
Below is a step-by-step procedure to do what you need:
1. Configure logging of all events in Wazuh managers:
The following configuration needs to be done on the Wazuh manager. In the case of having a cluster of Wazuh managers, this configuration needs to be done on all nodes.
Configure logall_json output in "/var/ossec/etc/ossec.conf"
<logall_json>yes</logall_json>
Then restart the wazuh-manager service with the following command:
systemctl restart wazuh-manager
2. Configure Filebeat output to send all events to Elasticsearch:
As in the previous step, the following configuration needs to be done on the Wazuh manager. In the case of having a cluster of Wazuh managers, this configuration needs to be done on all nodes.
Configure Wazuh Filebeat module to read both alerts and archives. This setting can be found in the "/etc/filebeat/filebeat.yml" file:
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: true
.png?part=0.6&view=1)
- module: wazuh
alerts:
enabled: true
archives:
enabled: true
Then restart Filebeat service with the following command:
service filebeat restart
Output can be tested running:
filebeat test output
3. Create a new index-pattern:
On Wazuh Dashboard:
a. Go to Management -> Stack Management -> Index Patterns
b. Click on Create index pattern
c. For the index pattern name choose wazuh-archives-* and click on Next step
d. For the timestamp field choose timestamp (be careful not to choose @timestamp instead)
e. Click on Create index pattern
4. Browse through indexed data:
On OpenSearch Dashboards, under the Discover section choose index pattern wazuh-archives-* instead of wazuh-alerts-*
You will now be able to see archives from the Wazuh UI
I hope this helps. Let me know if you have any specific questions or if there is anything else I can do to help.
Regards,
Guido
Reply all
Reply to author
Forward
0 new messages