Wazuh agent and openvpn Best Practices
710 views
Skip to first unread message
Charles Rawls
Jan 19, 2023, 2:36:51 PM1/19/23
to Wazuh mailing list
Greetings:
Is there a set of best practices for the monitoring of an openvpn server via the wazuh agent?
I have the basic setup complete, and the agent installed but I wish to monitor for events out of the /var/log/openvpas.log
Charles Rawls
Jan 19, 2023, 6:33:18 PM1/19/23
to Wazuh mailing list
To reply to my own question,and follow best practices to share the answer:
I am sure many already know this, but on the off chance I may save some one an hour or two ....
This will send the access logs to /var/log/syslog. The default agent configuration will send these to the wazuh manager.
Various rule sets can be found /var/ossec/ruleset/rules/0400-openvpn_rules.xml. These can be tweaked to match your alerting needs.
More research will be done to produce a set of alerting rules to comply with various standards.
Julian Bustamante Narvaez
Jan 23, 2023, 8:51:34 PM1/23/23
to Wazuh mailing list
Hi,
I'm glad you found the answer, let me know if you need anything regarding the rule.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html?highlight=rule
regards
Julian, Wazuh Team
I'm glad you found the answer, let me know if you need anything regarding the rule.
I leave these links in case you need to modify rules and decoder:
Default:
https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0190-openvpn_decoders.xmlJulian, Wazuh Team
Reply all
Reply to author
Forward
0 new messages