Newbie of Wazuh
393 views
Skip to first unread message
Lanny
May 9, 2023, 11:10:24 PM5/9/23
to Wazuh mailing list
Hi, I am a newbie of wazuh. I have the following questions about this wonderful log capture and analysis application...
1. Choosing all-in-one install script to install Wazuh server on system disk, after 30 days, found it occupied many disk space, are there alternative ways to migrate the log / alarm file / index etc. to different disk without re-install wazuh server?
2. How can I calculate the log space? Right now our environment have the 100 Linux and Windows devices and 70 network devices...
3. Because this is a temporary Wazuh server, is it possible to change the server ip on endpoint and how to do it?
4. We would like to capture all logs while the endpoint installed agent, but I checked the agent configure, for example
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
is that mean the above event id not capture / send to wazuh server for analysis?
5. Because of all-in-one installation, if I want to expand the current single-node server environment to multi-node server environment, what action should be perform with less downtime and less configuration change of current Wazuh server?
Please support feel free to give me some guide about these? Thank you!
Jose Antonio Izquierdo
May 10, 2023, 3:20:57 AM5/10/23
to Wazuh mailing list
Hi Lanry,
I will try to provide some info for your questions.
1.- You should plan your final wazuh architecture based on your experience
with this AIO deployment. maybe you will need to move from this AIO to a
distributed architecture with a wazuh server cluster (2 nodes) and
wazuh-indexer cluster (3 nodes)
about your question:
Wazuh
server files (var/ossec/logs) - Old files should be compressed so that
you can move them to a different place, maybe an NFS resource or extra
space in a different partition. If you want to keep the info in the same
folder, you can try adding a new disk and moving the wazuh folder to
that new disk setting a link for /var/ossec to the new partition/folder.
I will suggest this as part of a test environment, If you plan for
production, please resize and reinstall based on your experience.
Wazuh-indexer
indices - you will manage the indices life cycle using ILM on your
Wazuh-indexer. This will allow you to keep hot, and cold storage, and
older indices cleaned. some info about ILM configuration can be found
here - https://docs.openstack.org/infra/ci-log-processing/opensearch-configuration.html#create-ilm-index-lifecycle-management
Backup - this may be useful too - https://documentation.wazuh.com/current/user-manual/files-backup/wazuh-central-components.html
2.-
About sizing - for 100 Linux/Windows servers, and 70 network devices,
you should expect 60G for 30 days of hot storage, and 180G for 90 days
of cold storage. This is assuming 1EPS per system, 1K log size per
system. Anyway, your platform will work better for you as a sizing tool
as you can see your real EPS, alarms ratio, etc...
3.-
To change the wazuh-agent configuration to point to a new system, you
must edit ossec.conf in your endpoints. You should use a server name
instead of an IP, so changing the name resolution will solve your issue.
If your environment is up un running you will need to change endpoints
ossec.conf to point to the right IP, When running the update of the ip
consider using a name to help with any other future modification.
4.- Yes, events in that query won't be sent to the wazuh-server.
5.- My suggestion is to install a fully new environment and try some migration strategies. like:
5.a.-
Modify your endpoints to use a name instead of IP. Be sure your agents
can register automatically and work in your old environment using the
name.
5.b.- Create and test the new environment. Be sure
your agents can register automatically and work in your new environment
using the name. Use a few new agents for full test.
5.c.-
Change your name resolution. you may need to send from the old
environment a restart command to all the agents. After restarting,
agents should resolve the new ip and try to connect and register.
Hope it helps as a starting point. ping me if you need further details. Please remember that you will need to adapt these recommendations to your environment and experience.
Thanks.
Lanny
May 10, 2023, 4:10:32 AM5/10/23
to Wazuh mailing list
Hi Jose,
Thanks your response,
In Q1, because we have no any extra hardware resource for another node to deploy, and the current server have 100 GB local harddisk, and 1TB volume from SAN server, we hopefully the wazuh relative application store on this system hdd (100GB), and other relate data log will store on the 1TB, possible perform in All-In-One script?
In Q3, name also be changed because some of company or government policy, so it is better to choosing IP address, but I think this is excellent solu. to reduce the workload
In Q4, that means if I delete this part in ossec.conf on endpoint
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
will all data send to Wazuh server?
Jose Antonio Izquierdo 在 2023年5月10日 星期三下午3:20:57 [UTC+8] 的信中寫道:
jose antonio izquierdo lopez
May 10, 2023, 4:27:52 AM5/10/23
to Wazuh mailing list
Hi again,
Q1 - you should create the process. but usually is something like:
- stop server
- copy the current folder to the new folder. be sure you copy permissions too
- move the current folder to a new folder name (# move /var/ossec/ /var/ossec2)
- create a symlink to point /var/ossec to /your/new/1TB/folder.
- start the server, verify everything works
If something is wrong,
- stop the manger
- remove symlink
- move your old folder back
- restart the manager
Q4 - Yes, but we did exclude them for a reason. these events are too noisy. so be careful when modifying that configuration. Also, please, take into account that any new version will overwrite your default configuration. Maybe you should use a centralized configuration (read this)
Thanks
Lanny
May 11, 2023, 5:37:52 AM5/11/23
to Wazuh mailing list
Hi Jose
Thanks your response, we have another problem about change server IP, we're now using testing IP for this application PoC, we also changed many setting whether in Linux OS or in Wazuh server, we hopefully change prod IP to go live, does it any affect of Wazuh application? Or need to change Wazuh setting? If yes, how to change and where to change?
Regards,
Lanny
jose antonio izquierdo lopez 在 2023年5月10日 星期三下午4:27:52 [UTC+8] 的信中寫道:
Reply all
Reply to author
Forward
0 new messages