Wazuh Agent Disconnecting Alert
348 views
Skip to first unread message
Ryan Mohr
Mar 29, 2021, 9:44:20 AM3/29/21
to Wazuh mailing list
Hi All,
Hopefully a quick question.
Wazuh sends alerts for disconnecting agents, but is there a way to send alerts for only specific agents?
For example; agentXYZ is extremely important and I only want to be notified when agentXYZ is disconnected.
Anyway to add such an alert?
Best.
Tomas Turina
Mar 29, 2021, 10:27:36 AM3/29/21
to Ryan Mohr, Wazuh mailing list
Hi Ryan,
The rule 504 is the one that Wazuh uses to generate disconnection alerts:
<rule id="504" level="3">
<if_sid>200</if_sid>
<match>Agent disconnected</match>
<description>Wazuh agent disconnected.</description>
<mitre>
<id>T1089</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
<if_sid>200</if_sid>
<match>Agent disconnected</match>
<description>Wazuh agent disconnected.</description>
<mitre>
<id>T1089</id>
</mitre>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AU.5,tsc_CC7.2,tsc_CC7.3,tsc_CC6.8,</group>
</rule>
What I suggest is to create a child rule from the above that will silent all alerts except those for the agent you want to monitor. You can use the location tag, which identifies the origin of the input. If the event comes from an agent, its name and registered IP is appended to the location.
Following your example, if you need to report disconnection alerts only for agent agentXYZ you will need to add this custom rule in the /var/ossec/etc/rules/local_rules.xml file:
<rule id="100001" level="0">
<if_sid>504</if_sid>
<location negate="yes">agentXYZ</location>
<description>Disable disconnection alert for all agents except for agentXYZ</description>
</rule>
<if_sid>504</if_sid>
<location negate="yes">agentXYZ</location>
<description>Disable disconnection alert for all agents except for agentXYZ</description>
</rule>
All logs that come from a location different from agentXYZ will match this rule and will be ignored, since alert level is set to 0. If the logs come from agent agentXYZ, they won't match rule 100001 and will generate alerts when matching parent rule 504.
I hope this information can answer all your doubts.
Best regards.
Tomás Turina.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9c283c7e-8ce2-4a5f-916e-ba4a3d664430n%40googlegroups.com.
Ryan Mohr
Mar 29, 2021, 1:19:48 PM3/29/21
to Wazuh mailing list
Hi Tomas,
This is very helpful thank you.
Best
Reply all
Reply to author
Forward
0 new messages