Update Wazuh - Events - Changelog

87 views
Skip to first unread message

Facu Basgall

unread,
Dec 29, 2022, 7:37:22 AM12/29/22
to Wazuh mailing list
[SPA] 
Buen día Quisiera saber si hubo algún cambio en las versiones de Wazuh porque antes de actualizar de 4.3.6 a 4.3.10 estaba generando 65k eventos diarios y pase a tener 5k. Ya revise el changelog pero no encontré información al respecto. Muchas gracias 

[ENG] 
Good morning I would like to know if there was any change in the versions of Wazuh because before upgrading from 4.3.6 to 4.3.10 I was generating 65k daily events and now I have 5k. I already checked the changelog but I did not find any information about it. Thank you very much for your help.

mayte...@wazuh.com

unread,
Jan 3, 2023, 3:14:28 AM1/3/23
to Wazuh mailing list
Hi!

Sorry for the late response.

There are several changes between these versions (Changelog). Depending on the case it is possible that the update has affected the generated events.

Could you run the following query in Elasticsearch/Wazuh indexer to check the top 15 generated rules and the count of each of them? Maybe this way we can find out where the change is located.

curl -k -u <user>:<pass> -XGET "https://localhost:9200/wazuh-alerts-*/_search?pretty" -H 'Content-Type: application/json' -d'
{
  "size": 0,
  "query": {
    "range" : {
        "@timestamp" : {
            "gte" : <TIMESTAMP1>,
            "lte" : <TIMESTAMP2>
        }
    }
  },
  "aggs": {
    "group_by_ruleid": {
      "terms": {
        "field": "rule.id",
        "size": 15,
        "order": { "_count": "desc" }
      }
    }
  }
}'

You should run the command twice, changing the <TIMESTAMP> range:
- Using an interval in which you had not updated yet:
            "gte" : "2022-12-01T00:00:00.000",
            "lte" : "2022-12-02T00:00:00.000"
- Another one using an interval after updating:
            "gte" : "2023-01-01T00:00:00.000",
            "lte" : "2023-01-02T00:00:00.000"
In both cases the interval must have the same duration and be big enough (e.g., one day).

This way we can check which rules are triggered more frequently before and after the update, which may help us to find out where the change has happened.

I hope it helps. Please keep us updated!

Best regards,
Mayte Ariza

Facu Basgall

unread,
Jan 4, 2023, 7:29:07 AM1/4/23
to Wazuh mailing list
[SPA]
Disculpas, fue un error de configuración, habia modificiado unos parametros haciendo pruebas y no recordaba.
Muchas gracias por tu respuesta

[ENG]
Sorry, it was a configuration error, I had modified some parameters while testing and I did not remember.
Thank you very much for your answer

Message has been deleted

mayte...@wazuh.com

unread,
Jan 5, 2023, 1:42:34 AM1/5/23
to Wazuh mailing list
Hi,

I'm glad the issue is solved!
Do not hesitate to open a new topic and contact us again if you have any questions.
 
Best regards,
Mayte Ariza
Reply all
Reply to author
Forward
0 new messages