Transfer log to Wazuh Server

[MrBAD0094]

Hi,

How i can transfer log from suricata server to Wazuh server? It's different serwer but the same network.

I can use OSSEC agent?

Where i must exactly define my suricata log catalog in OSSIM agent?

It's ~170k EPS.

Regards.

[Jose Antonio Izquierdo]

Hi. 

Better than using ossec agent,  Deploy a wazuh agent. If your suricata is exporting logs in eve.json you can configure wazuh agent to read it and forward logs to wazuh server. 

Follow steps in this url. OwlH is a sister project of wazuh. 

http://documentation.owlh.net/en/latest/main/OwlHWazuh.html

About EPS. If it is quite high and are facing performance issues you can consider using other transport tools like file beat  

usually noise is related to stats or flows. You can also consider filtering those noise logs and send them directly to elastic and send only alerts to wazuh. You will access full info in elastic - kibana anyway. 

Please let us know if you need any additional info or help  

Best Regards

Jose antonio izquierdo

Jizqu...@wazuh.com 

Jizqu...@owlh.io 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6180043f-174d-45cd-883d-a4464bd07971%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[jose.iz...@wazuh.com]

Hi, 

Did it help? 

Let me know if you need to chat or more info. 

Best Regards

Jose antonio izquierdo

Jizqu...@wazuh.com 

Jizqu...@owlh.io 

On Thursday, October 25, 2018 at 9:47:30 AM UTC+2, Jose Antonio Izquierdo wrote:

Hi. 

Better than using ossec agent,  Deploy a wazuh agent. If your suricata is exporting logs in eve.json you can configure wazuh agent to read it and forward logs to wazuh server. 

Follow steps in this url. OwlH is a sister project of wazuh. 

http://documentation.owlh.net/en/latest/main/OwlHWazuh.html

About EPS. If it is quite high and are facing performance issues you can consider using other transport tools like file beat  

usually noise is related to stats or flows. You can also consider filtering those noise logs and send them directly to elastic and send only alerts to wazuh. You will access full info in elastic - kibana anyway. 

Please let us know if you need any additional info or help  

Best Regards

Jose antonio izquierdo

Jizqu...@wazuh.com 

Jizqu...@owlh.io 

El jue., 25 de octubre de 2018 9:36, MrBAD0094 <gadoms...@o2.pl> escribió:

Hi,

How i can transfer log from suricata server to Wazuh server? It's different serwer but the same network.

I can use OSSEC agent?

Where i must exactly define my suricata log catalog in OSSIM agent?

It's ~170k EPS.

Regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[MrBAD0094]

Hi, I install this machine again from scratch, so i can replay in monday. ;)

But last time i use OSSEC agent, and what are the differences about OSSEC and Wzuh agent?

As I see Wazuh agent have the same path (/var/ossec/...).

Regards.

[jose.iz...@wazuh.com]

Hi, 

Well, I would say that good news is that as you are familiar with ossec, you will find very familiar with the management of wazuh agent.

But,  there are much more, compatibility, extra functionality. etc... if you are using Wazuh Manager you must use the Wazuh Agent

Check the Wazuh documentation to find more details about the Agent/Manager improves. 

https://documentation.wazuh.com/current/user-manual/capabilities/index.html

Let us know your test results on Monday.

Best Regards

Jose antonio izquierdo

Jizqu...@wazuh.com 

Jizqu...@owlh.io 

[MrBAD0094]

Ok, thanks for fast responde.

When i sucessful configured agent I reply. ;)

Thanks again.

[MrBAD0094]

Now, I have other probelm. I add agent, and I see this agent in Kibana panel, but status is never connect.

How i can diagnose why this agent not send any data?

[jose.iz...@wazuh.com]

Hi, 

you can check things like: 

.- verify your ossec.conf file in your agent to see that your wazuh server is the one in the configuration server tag. 

.- read the ossec.log file on the agent. /var/ossec/logs/ossec.log, any errors? 

.- verify kibana agent id is the same than the one you have in your agent's /var/oseec/etc/client.keys file. if not you should export agent key from the wazuh manager and import it in your agent. and restart your agent. or register the agent again. Here you have more info about registering (https://documentation.wazuh.com/current/user-manual/registering/index.html)

.- verify that port 1514UDP is open between your agent and your wazuh manager ( I suppose it is as you were using ossec before) a tcpdump in your agent and manager with this config should help: 

tcpdump -i eth0 -nn port 1514 (usually this will work in your agent to provide you info about what manager is your agent trying to connect)
tcpdump -i eth0 -nn host 1.1.1.1 (run this in your wazuh manager with the agent ip) 

Let me know if you need more info. 

Thanks 

Best Regards

Jose antonio izquierdo

@ - jizqu...@wazuh.com 

@ - jizqu...@owlh.io

[MrBAD0094]

OK - in "/var/ossec/logs/ossec.log," i viewed "Connection refused" so i open udp port, earlier i have only tcp:1514 -.-

Now I see many packet here: "tcpdump -i eth0 -nn host 1.1.1.1" and here "tcpdump -i eth0 -nn port 1514" so i think connection is working and log is sending, but in kibana i still didn't see any log.

Then in ossec conf file i saved:

 <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>


The catalog should be moved, any suggest?

PS

And yes - now in kibana agent status is active

[jose.iz...@wazuh.com]

Check our OwlH config  (http://documentation.owlh.net/en/latest/main/OwlHWazuh.html)

your agent ossec.conf must look like this: (use syslog instead of json)

<localfile>

  <log_format>syslog</log_format>

  <location>/var/log/suricata/eve.json</location>

</localfile>

Also, you will need to modify your wazuh manager Suricata rules as described here (http://documentation.owlh.net/en/latest/main/OwlHWazuh.html#configure-wazuh-suricata-rules-to-create-right-alarms)

Best Regards

jose antonio izquierdo

[MrBAD0094]

Thanks for that help Jose. I am grateful.

At this moment is fine, but two more problem I have.

Now suricata log file (eve.json) have 11G. How divide this file, best practice is using cron? Or something elese?

And if I divide this file (e.g. daily) how write this in conf file?? /var/log/suricata/day* ????

<localfile>

  <log_format>syslog</log_format>

  <location>/var/log/suricata/eve.json</location>

</localfile>

[jose.iz...@wazuh.com]

Hi 

I think you need to use logrotate. It would do the rotation of your file as well as compress older ones. you can define how many files to keep in your server and it will clean the older ones. 

Something like this should work, but please, check logrotate details and verify this configuration works for you

Ensure your system has logrotate installed and running (usually, it is)

• create a configuration file: 
• /etc/logrotate.d/suricata.conf
• include in the file:
• /var/log/suricata/eve.json { 
• daily 
• missingok 
• rotate 5 
• compress 
• notifempty 
• }
  

Hoope it helps, let me know if you have any question

[MrBAD0094]

OK, I set logrotate e.g. monthly.

So I will have (e.g.):

eve_09.2018.json
eve_10.2018.json

So in Wazuh agent conf file i can set: <location>/var/log/suricata/eve_*.json</location>????

[jose.iz...@wazuh.com]

Hi, 

No, it doesn't work like this. 

logrotate takes your current log file, creates a new log file with the same name but empty. the older one is moved and compressed as indicated in the configuration 

you will have something like this:

eve.json

eve.json.1

eve.json.2.gz

eve.json.3.gz

eve.json.4.gz

eve.json.5.gz

eve.json is the current log file the one that wazuh will read. You don't need to modify the wazuh configuration 

suppose the daily rotation as per my sample before then you will have. 

eve.json is the today Suricata log file

eve.json.1 is the yesterday log file without compress.  

eve.json.2.gz is two days ago log file compressed. 

logrotate will keep rotating those files. the current one is always eve.json. older files are released. So you don't need to modify Wazuh configuration.

[MrBAD0094]

Look simply. ;) i try this tomorrow.

Even my wazuh agent conf file is look like this (...)/var/log/suricata/eve.json(...) it can read e.g. eve.json.1. Yes?

In that case i'm not sure i can viewed in kibana log from yesterday.

OK doesn't matter that on this moment if this not working i find solution alone, but very very thanks again. Your help was invaluable.

Regards.

[jose.iz...@wazuh.com]

You are welcome. 

remember that Wazuh will read logs just once. so will only read the eve.json file the current one. older files are not needed. Wazuh reads logs in real-time. so you will only keep older files just in case you need them for any other reason, but Wazuh isn't going to read eve.json.1 or any other than eve.json

You don't need to modify your agent configuration. just keep reading eve.json.

Thanks and good luck. 

Best Regards

jose antonio izquierdo

@ - jizqu...@wazuh.com 

@ - jizqu...@owlh.io