Display Alerts Level 0 in Security Events.

[TSC Consultores]

Dear all, 

Is there a way to see alerts level 0 in security events? We are monitoring several Apache Logs but we can see only alerts level 5 and above, we want to see all the logs there. 

Here is an example of ruleset test output:

**Phase 1: Completed pre-decoding.

xxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxx

 **Phase 2: Completed decoding.   

name: 'apache-errorlog'    

parent: 'apache-errorlog'   

id: 'AH01071'    

srcip: '13.110.x.x'    

srcport: '0'

 **Phase 3: Completed filtering (rules).   

id: '30301'   

level: '0'    

description: 'Apache: Error messages grouped.'   

groups: '["apache","web"]'    

firedtimes: '1'    

mail: 'false'

Thank you, 

[elw...@wazuh.com]

Hello,

To configure Wazuh manager to store all the logs you should enable the option `logall_json` https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html?highlight=archives#logall-json which will generate the archives.json.

Then in Filebeat configuration file /etc/filebeat/filebeat.yml you should set the archives module to true:

# Wazuh - Filebeat configuration file
output.elasticsearch.hosts: ["127.0.0.1:9200"]
output.elasticsearch.password: <elasticsearch_password>

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: true


And restart it systemctl restart filebeat.

You will have a new index in the Wazuh dashboard called `wazuh-archives*` which contains every collected alert/log.

I hope it helps.

Regards,
Wali

[TSC Consultores]

Thanks Wali for your answer, 

I did the process you mention but I can't see the  `wazuh-archives*` index, Is there any process I need to do?

I attach ossec.conf and filebeat.yml configuration screenshots. 

Thanks again. 

[elw...@wazuh.com]

Hello,

The configurations looks good to me; I haven't mentioned that the Wazuh manager must be restarted systemctl restart wazuh-manager to apply the configuration which should generate the file /var/ossec/logs/archives/archives.json, Can you please check it?

Regards,
Wali

[TSC Consultores]

Hello Wali, 

Yes I restarted the wazuh-manager but it doesn't show the  `wazuh-archives*` index. could you please share with me a screenshot about the configuration I need to have in ossec.conf and filebeat.yml? I attached mine in the last message but maybe I'm missing something else. 

Thanks.  

[elw...@wazuh.com]

Hello,

Sure thing. The following are the configuration file and procedure:

Wazuh configuration:

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>yes</logall_json>
    <email_notification>no</email_notification>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>wa...@example.wazuh.com</email_from>
    <email_to>reci...@example.wazuh.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>


[root@localhost vagrant]# systemctl restart wazuh-manager.service
[root@localhost vagrant]# ls -ll /var/ossec/logs/archives/
total 16
drwxr-x---. 4 wazuh wazuh    28 Sep  1 06:12 2022
-rw-r-----. 2 wazuh wazuh 12849 Sep  9 08:45 archives.json
-rw-r-----. 2 wazuh wazuh     0 Sep  9 08:15 archives.log


Filebeat configuration:

# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:

        - 127.0.0.1:9200
#        - <elasticsearch_ip_node_2>:9200
#        - <elasticsearch_ip_node_3>:9200

output.elasticsearch:
  protocol: https
  username: ${username}
  password: ${password}
  ssl.certificate_authorities:
    - /etc/filebeat/certs/root-ca.pem
  ssl.certificate: "/etc/filebeat/certs/wazuh-server.pem"
  ssl.key: "/etc/filebeat/certs/wazuh-server-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: true

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq
~           


[root@localhost vagrant]# systemctl restart filebeat.service  | tail -f /var/log/wazuh-indexer/wazuh-cluster.log
[2022-09-09T08:22:38,792][INFO ][o.o.j.s.JobSweeper       ] [node-1] Running full sweep
[2022-09-09T08:22:39,138][INFO ][o.o.i.i.ManagedIndexCoordinator] [node-1] Cancel background move metadata process.
[2022-09-09T08:22:39,139][INFO ][o.o.i.i.ManagedIndexCoordinator] [node-1] Performing move cluster state metadata.
[2022-09-09T08:22:39,140][INFO ][o.o.i.i.MetadataService  ] [node-1] Move metadata has finished.
[2022-09-09T08:27:38,797][INFO ][o.o.j.s.JobSweeper       ] [node-1] Running full sweep
[2022-09-09T08:30:00,525][INFO ][o.o.c.m.MetadataUpdateSettingsService] [node-1] updating number_of_replicas to [0] for indices [wazuh-monitoring-2022.36w]
[2022-09-09T08:32:38,798][INFO ][o.o.j.s.JobSweeper       ] [node-1] Running full sweep
[2022-09-09T08:37:38,800][INFO ][o.o.j.s.JobSweeper       ] [node-1] Running full sweep
[2022-09-09T08:42:38,802][INFO ][o.o.j.s.JobSweeper       ] [node-1] Running full sweep
[2022-09-09T08:45:01,102][INFO ][o.o.c.m.MetadataUpdateSettingsService] [node-1] updating number_of_replicas to [0] for indices [wazuh-monitoring-2022.36w]
[2022-09-09T08:46:30,774][INFO ][o.o.c.m.MetadataCreateIndexService] [node-1] [wazuh-archives-4.x-2022.09.09] creating index, cause [auto(bulk api)], templates [wazuh], shards [3]/[0]


As you can see above after configuring Wazuh and Fileabt the archives.json file and the wazuh-archives index got created.


I hope this helps.

Regards,
Wali