Live Network traffic / NetFlow

[Milan Patel]

Hello,

I am new to Wazuh and testing the features if they meed out need or not.

Would like to know few things.

1.  how can we implement or does wazuh support netflow. We want to see live network traffic.

2. I would like to forward data from many pfsense firewalls to wazuh and I am not using any agent at this moment so on the Wazuh dashboard can I create a group for only FW as there are multiple things under events so hard to filter pfsense thigs. Also I have snort data coming to Wazuh via FW so if I wanna block any malicious IP detected by snort to multiple pfsense FW can we do that ?

I mean can we do orchestration ?

3. I can not see my apache logs on wazuh manager/dashboard. My current setup is like this.

From one system I am using rsyslog to send my apache logs to Wazuh . So on Wazuh end on terminal I can see the logs but not on the Gui/Dashboard. Why is that ? could some one help me to setup that ? I am not using agent at this moment.

Thanks,

[Luis González Romero]

Hello milan.patel, hope you’re great.

1. Yes, you could configure your CISCO devices to send logs to your Wazuh manager. Then, you can collect them and obtain the alerts.

   To receive data from your devices you should add a configuration block similar to this one in your ossec.conf (manager side):

   <remote> <connection>syslog</connection> <port>514</port> <protocol>tcp</protocol> <allowed-ips>192.168.0.0/24</allowed-ips> <local_ip>192.168.0.1</local_ip> </remote>

   More details about this feature here.

2. Yes, you can do agentless monitoring. You could filter by the rule group pfsense (check it here), if you are your custom decoders/rules for extra cases or something you can add them to that group. Also, about the orchestration, you can use active responses to handle those malicious IPs. Besides, here you have relevant info

   • https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/active-response.html
   • https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/blocking-attacks.html

3. Did you try to use the /var/ossec/bin/wazuh-logtest tool to verify that those logs that your manager receives have the expected format and trigger the alerts? Besides, I see this is a duplicate of this one.

Hope this helps you,
Luis.

​

[Luis González Romero]

I’m sorry, the configuration sample formatting was messed up. Hope this one is not.

<remote> <connection>syslog</connection> <port>514</port> <protocol>tcp</protocol> <allowed-ips>192.168.0.0/24</allowed-ips> <local_ip>192.168.0.1</local_ip> </remote>

Also, here you have more samples.

​

[Steven Kan]

Luis,

Pardon the beginner question, but how (and where?) does one actually make this edit? Would it be in /var/ossec/etc/ossec.conf? My goal is to direct syslog from a pfsense hardware appliance to this VM running Wazuh.

I've downloaded the VM from here, extracted the .vhdx, and configured a VM in Hyper-V. I started the VM, logged into the local console as wazuh-user/wazuh (I see the giant W!), and I can now log into the webUI as admin/admin from other machines, so the basic installation appears to have been correct.

But from the VM local console (wazuh-user) I can't navigate to /var/ossec/etc/ to edit ossec.conf. I can cd /var, but when I try to cd /var/ossec I get Permission Denied.

I tried su, su root, and su -s root, all with password wazuh, but all failed with Authentication Failure.

In anticipation of getting access to ossec.conf I also tried running nano, but it's not installed. Is vi the only text editor available? 

From the webUI I can get to https://<wazuh-ip>/app/wazuh#/manager/?tab=configuration, and from there I can get to Log data analysis: Log collection: XML and see settings such as:

<?xml version='1.0'?>
<configuration>
<logcollector-localfile>
<localfile>
<logformat>command</logformat>
<command>df -P</command>
<alias>df -P</alias>
<ignore_binaries>no</ignore_binaries>
<target>agent</target>
<frequency>360</frequency>
</localfile>

but I don't see a way to edit it.

Can you please point me in the correct direction? Thanks!

[Steven Kan]

Ah, never mind. I figured it out (e.g. log in as root instead of wazuh-user at the initial login prompt).

I was able to add that block of xml, and I turned on remote logging to the wazuh VM's IP address.

Now I have to figure out how to use wazuh :D