Question about incoming logs

[Matthias Appelmans]

Hi all,

I have a question about logs in general to try understand wazuh better. (I'm using the version 4.7 with opensearch)

When a log gets to wazuh, what is happening to it and when?

So it gets decoded if there is a decoder available for that type of log

It indexes it?

It makes an alert if there is any rule for it?

I seem to have a hard time understanding this

Kind regards 

Matthias

[Antonio Kim (Wazuh)]

Hi Mathias

The flow that Wazuh performs is:

Log Collection: The process begins with log collection. Wazuh agents are responsible for collecting logs from various sources, such as system logs, application logs, network logs, etc.
Normalization/Decoding: Once the logs are collected, they are normalized or decoded. This step involves parsing the raw log data into a structured format that Wazuh can understand and work with. Decoders are used here to convert logs from their original format into a common format for analysis.
Analysis and Parsing: After normalization, the logs are analyzed. Wazuh parses the normalized logs and extracts relevant information, such as timestamps, source IP addresses, usernames, etc. This parsed data is then indexed for easier search and retrieval.
Rule Matching: Wazuh applies rules to the parsed logs to detect security incidents or anomalies. These rules define conditions or patterns that, when matched, indicate potential security threats or policy violations. If a log matches a rule, an alert is generated.
Alerting: When an alert is generated, Wazuh can take various actions based on configured policies. This may include sending notifications, logging the alert to a centralized location, executing custom scripts, or taking other automated response actions.
Storage and Indexing: The parsed and analyzed logs, along with any generated alerts, are stored and indexed for later retrieval and analysis. This allows security analysts to search and query the logs efficiently.

You can find information in the following links:

• https://documentation.wazuh.com/current/getting-started/components/index.html
• https://documentation.wazuh.com/current/getting-started/architecture.html
• https://documentation.wazuh.com/current/user-manual/index.html

Regards

Antonio

[Matthias Appelmans]

Hi Antonio,

Thank you for your response.

Another question regarding this link: https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html

The Wazuh archives refer to the storage files created by the Wazuh server that contain logs, alerts, and other security-related data collected from monitored endpoints. Wazuh archives store all events received by the Wazuh server, whether or not they trip a rule. Wazuh archives are useful for threat hunting, as security teams use archived logs to review historical data of security incidents, analyze trends, and generate reports.

By default, Wazuh archives are disabled because they store a large number of logs on the Wazuh server. When enabled, Wazuh archives allow organizations to store and retain security data for compliance and forensic purposes.

What does it do by default when archives are disabled, does it discard all incoming logs that do not generate an alert?

Matthias

Op dinsdag 30 april 2024 om 09:57:41 UTC+2 schreef Antonio Kim (Wazuh):

[Matthias Appelmans]

Another question,

When you turn on the log all in ossec.conf

What effect has the step in the screenshot? 

Source:

https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html

Op dinsdag 30 april 2024 om 10:10:27 UTC+2 schreef Matthias Appelmans:

[Antonio Kim (Wazuh)]

In reference to the logs that do not find a decoder or are processed by rules, since the logs take up disk space, by default Wazuh does not store them. You can configure this so that they are stored in the documentation you are reading.
This means that the logs that will be saved (with that configuration) are those that did meet the criteria of some rule.

Alerts will be generated regardless of this setting

[Antonio Kim (Wazuh)]

Regarding the second question.
The option to activate events allows you to view on the dashboard those events detected and processed by the existing rules

I hope these answers have clarified your doubts.

[Matthias Appelmans]

Hi, yes, thank you!

I have another question about the Normalization/decoding phase

What is the difference between normalization and decoding, if any? Is normalization when there is no decoder available or something like that?

Kind regards

Matthias

Op dinsdag 30 april 2024 om 11:14:08 UTC+2 schreef Antonio Kim (Wazuh):

[Antonio Kim (Wazuh)]

Hi Matthias

Sorry for the delay in response

• Decoding involves converting raw data into a more readable and structured format. This typically occurs when dealing with logs or events that are stored or transmitted in an encoded or compressed form. Decoding can involve such as decoding and parsing proprietary log formats into a standard format like JSON or syslog. The goal of decoding is to make the data understandable and usable for further analysis.
  
  
• Normalization, on the other hand, involves standardizing and enriching the data to make it more consistent and useful for analysis and correlation. This process may involve converting timestamps to a standardized format, resolving IP addresses to hostnames, extracting relevant fields from logs, or converting log levels or severity codes to a common scale. Normalization helps in creating a uniform dataset from disparate sources, making it easier to analyze and detect security incidents.

In the case of Wazuh, both processes are carried out by the decoder and rules can participate in the normalization of the data also.
They are theoretical separations but do not have a separation in the use of Wazuh.

Hope this information is useful for you.

Regards
Antonio