Adding custom field to all events, coming from agent
224 views
Skip to first unread message
Alex V.
Sep 22, 2023, 8:35:28 AM9/22/23
to Wazuh | Mailing List
I need to add custom field with subnet information to all events coming from agent. For example, there is multiple agents in different cloud environment. I need to define events from specific cloud environment via custom field. How can I do this?
Antonio David Gutiérrez
Sep 22, 2023, 9:12:57 AM9/22/23
to Wazuh | Mailing List
Hi Alex,
if the information you want to add to the alerts related to an agent is static (always the same value) and doesn't depend on the event/log content, then I think you could use the agent labels https://documentation.wazuh.com/current/user-manual/agents/labels.html. This feature allows you to add static information to the alert of an agent. You can define the label for each agent or use the centralized way through group configuration to affect the agents that belong to that group.
If the information you want to add depends on the event/log, then you could need to create a custom decoder that extracts that information and stores it in a field. Moreover, depending on the log, you could need to create a rule to generate the related alert when the rule conditions are matched.
References:
- https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- https://documentation.wazuh.com/4.5/user-manual/ruleset/custom.html
If the information is dynamic and is not present in the event/log collected by the Wazuh agent, then I am not sure how to do this. If this is the case, please elaborate on your use case.
if the information you want to add to the alerts related to an agent is static (always the same value) and doesn't depend on the event/log content, then I think you could use the agent labels https://documentation.wazuh.com/current/user-manual/agents/labels.html. This feature allows you to add static information to the alert of an agent. You can define the label for each agent or use the centralized way through group configuration to affect the agents that belong to that group.
If the information you want to add depends on the event/log, then you could need to create a custom decoder that extracts that information and stores it in a field. Moreover, depending on the log, you could need to create a rule to generate the related alert when the rule conditions are matched.
References:
- https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- https://documentation.wazuh.com/4.5/user-manual/ruleset/custom.html
If the information is dynamic and is not present in the event/log collected by the Wazuh agent, then I am not sure how to do this. If this is the case, please elaborate on your use case.
Reply all
Reply to author
Forward
0 new messages