Configuration

Muhammad Kamran

unread,

Sep 7, 2023, 7:12:13 AM9/7/23

to Wazuh | Mailing List

Hi Support,

I am new in Wazuh. I have installed and configured Wazuh-Manager, Index and Dashboard and its working fine after wards I installed Agents three different VMs 2 are Linux and 1 is Windows.

Now On Wazuh Dashboard I want to check Security_Events and System_Audit but there is not result found please help me to configure it.

Where It should be configured in Wazuh Manager or Agen or both of them and please help me to setup

Thnaks a log

Olusegun Adenrele Oyebo

unread,

Sep 7, 2023, 12:17:17 PM9/7/23

to Wazuh | Mailing List

Dear Muhammad,

Thank you for using Wazuh.

Kindly confirm that those agents are reporting on the console. I'm also attaching some links below which could be helpful:

I hope those links will be helpful and give you insights on how Wazuh works.

Best regards.

Muhammad Kamran

unread,

Sep 8, 2023, 3:16:24 AM9/8/23

to Wazuh | Mailing List

Thanks a lot please let me know the Wazuh support license cost

Olusegun Adenrele Oyebo

unread,

Sep 8, 2023, 3:52:07 AM9/8/23

to Wazuh | Mailing List

Hello Mohammad,

Good to hear from you again.

For Wazuh support license related information, kindly visit the link and we'll be glad to reach out to you.

Do not hesitate to get back to us again if you have any other query or questions.

Best regards.

Muhammad Kamran

unread,

Sep 11, 2023, 7:54:05 AM9/11/23

to Wazuh | Mailing List

Thanks For update

I have installed Wazuh-Manager , Wazuh-Index and Wazuh-Dashboard. I manage to open web console of Wazuh-Dashboard. I added Three servers and I want to log them like I want their Security events and System Audits. Please help me to configure it so that I can check it out and show to my management Team. My Wazuh version is 4.5 on RHEL 8.3 and I added three machines 2 are RHEL OS and 1 is Win Server 2018 so please help me to check all 3 agents system audit and security events. As I have ossec.conf file in /var/ossec/etc/ossec.conf file with YML elements please help me in this regards

Olusegun Adenrele Oyebo

unread,

Sep 14, 2023, 6:47:04 AM9/14/23

to Wazuh | Mailing List

Hello Muhammed,

It's good to hear from you again and sorry for the late response.

Since you've installed agents on the endpoints you want to monitor and they're reporting, you should be able to see security events on your console. From the console homepage, go to Security events where you will see the "Dashboard" tab and the "Events" tab.

For you to be able to get audit events on linux endpoints, one of the prerequisites is to perform some configurations on the Wazuh server end. By default, Wazuh includes an audit CDB list. This CDB list contains audit keys that map against write, read, attribute change , execution, and command events. To know about CDB list, you can check the link.

Run the below command to view the content of the CDB list:
cat /var/ossec/etc/lists/audit-keys

You can add your custom key with its value to the list like this:
echo "<YOUR_KEY>:<VALUE>" >> /var/ossec/etc/lists/audit-keys

Where <YOUR_KEY> is the key set in the audit rule and <VALUE> is used by Wazuh to process the event.

Restart the Wazuh manager any time you modify the CDB list:
systemctl restart wazuh-manager

Monitored Endpoint Configuration.
Install the audit package on your endpoint. If the package is not installed, you can run the command below:

yum install -y auditd (Red hat distribution)
apt install -y auditd (Debian distribution)

If the package is already present on the endpoint before installing the Wazuh agent, you don't need to perform the below steps. The configuration will be added by default:

Add the configuration below to the Wazuh agent configuration /var/ossec/etc/ossec.conf file. This configures Wazuh to read the audit file log to process the Linux Audit system detects:

<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>

Restart the Wazuh agent to apply the changes:
systemctl restart wazuh-agent

Create proper audit rules using the auditctl command or the audit rules file. You can use the below use cases as guide:

Linux audit alerts are displayed in the Security Events and System Auditing tab of the Wazuh dashboard.

I'm also attaching some links below which should guide you further:

I hope this was helpful. Do not hesitate to get back to us in case you have any other query.

Best regards.

Muhammad Kamran

unread,

Sep 19, 2023, 6:16:06 AM9/19/23

to Wazuh | Mailing List

Hi

Thanks for support.

I have done all the things even though system audit or secruity events are not shown on dashboard. Please help me to configure it if there would be any configuration in YML file or config file in ossec.conf. here is ossec.conf file below check and guide me

[root@sapt-wazhu ~]# more /var/ossec/etc/ossec.conf


<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>

<alerts>
<log_alert_level>6</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>


<logging>
<log_format>plain</log_format>
</logging>

<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>


<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>


<frequency>21600</frequency>

<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/rootcheck/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/cis_rhel7_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/cis_rhel6_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/rootcheck/cis_rhel5_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/audit_test.txt</system_audit>
<skip_nfs>yes</skip_nfs>
</rootcheck>

<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>

<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>


<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>


<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>


<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>

<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>


<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>


<provider name="debian">
<enabled>no</enabled>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>


<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>


<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>


<provider name="suse">
<enabled>no</enabled>
<os>11-server</os>
<os>11-desktop</os>
<os>12-server</os>
<os>12-desktop</os>
<os>15-server</os>
<os>15-desktop</os>
<update_interval>1h</update_interval>
</provider>


<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>


<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>


<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>

</vulnerability-detector>


<syscheck>
<disabled>no</disabled>


<frequency>43200</frequency>

<scan_on_start>yes</scan_on_start>


<alert_new_files>yes</alert_new_files>


<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>


<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>


<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>


<ignore type="sregex">.log$|.swp$</ignore>


<nodiff>/etc/ssl/private.key</nodiff>

<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>


<process_priority>10</process_priority>


<max_eps>100</max_eps>


<database_output>
<hostname>10.10.90.55</hostname>
<username>MySQLadmin</username>
<password>Mkqmsit_1978</password>
<database>Alerts_DB</database>
<type>log</type>
</database_output>


<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>


<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>10.10.50.51</white_list>
<white_list>10.10.50.52</white_list>
</global>

<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>

<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>

<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>




<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>

<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/$[[:alnum:]]\+$\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+$.*$:$[[:digit:]]*$\ \+$[0-9\.\:\*]\+$.\+\ $[[:digit:]]*\/[[:alnum:]\-]*$.*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == $.*$ ==/
:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>

<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>

<ruleset>

<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>


<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>

<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>


<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>

<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>

<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>

</ossec_config>

<ossec_config>

<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>

</ossec_config>

[root@sapt-wazhu ~]#

[root@sapt-wazhu ~]# systemctl status wazuh-manager.service
● wazuh-manager.service - Wazuh manager
Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-09-13 16:25:07 PKT; 5 days ago
Tasks: 133 (limit: 49020)
Memory: 282.1M
CGroup: /system.slice/wazuh-manager.service
├─2517 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2639 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2642 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py
├─2671 /var/ossec/bin/wazuh-authd
├─2681 /var/ossec/bin/wazuh-db
├─2773 /var/ossec/bin/wazuh-execd
├─2788 /var/ossec/bin/wazuh-analysisd
├─2804 /var/ossec/bin/wazuh-syscheckd
├─2818 /var/ossec/bin/wazuh-remoted
├─2856 /var/ossec/bin/wazuh-logcollector
├─2879 /var/ossec/bin/wazuh-monitord
└─2890 /var/ossec/bin/wazuh-modulesd

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
[root@sapt-wazhu ~]# systemctl status wazuh-indexer
● wazuh-indexer.service - Wazuh-indexer
Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; vendor preset: disabled)
Active: active (running) (thawing) since Thu 2023-09-14 16:51:34 PKT; 4 days ago
Docs: https://documentation.wazuh.com
Main PID: 368924 (java)
Tasks: 112 (limit: 49020)
Memory: 2.6G
CGroup: /system.slice/wazuh-indexer.service
└─368924 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 >

Sep 19 00:01:34 sapt-wazhu systemd-entrypoint[368924]: at org.opensearch.jobscheduler.sweeper.JobSweeper.lambda$initBackgroundSweep$10(JobSweeper.java:294)
Sep 19 00:01:34 sapt-wazhu systemd-entrypoint[368924]: at org.opensearch.threadpool.Scheduler$ReschedulingRunnable.doRun(Scheduler.java:239)
Sep 19 00:01:34 sapt-wazhu systemd-entrypoint[368924]: at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:806)
Sep 19 00:01:34 sapt-wazhu systemd-entrypoint[368924]: at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52)
Sep 19 00:01:34 sapt-wazhu systemd-entrypoint[368924]: at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
Sep 19 00:01:34 sapt-wazhu systemd-entrypoint[368924]: at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
Sep 19 00:01:34 sapt-wazhu systemd-entrypoint[368924]: at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
Sep 19 00:01:34 sapt-wazhu systemd-entrypoint[368924]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
Sep 19 00:01:34 sapt-wazhu systemd-entrypoint[368924]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
Sep 19 00:01:34 sapt-wazhu systemd-entrypoint[368924]: at java.base/java.lang.Thread.run(Thread.java:833)
[root@sapt-wazhu ~]# systemctl status wazuh-dashbaord
Unit wazuh-dashbaord.service could not be found.
[root@sapt-wazhu ~]# systemctl status wazuh-dashboard.service
● wazuh-dashboard.service - wazuh-dashboard
Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-09-13 16:28:28 PKT; 5 days ago
Main PID: 1062 (node)
Tasks: 11 (limit: 49020)
Memory: 114.0M
CGroup: /system.slice/wazuh-dashboard.service
└─1062 /usr/share/wazuh-dashboard/bin/../node/bin/node --no-warnings --max-http-header-size=65536 --unhandled-rejections=warn /usr/share/wazuh-dashboard/bin/../src/cli/dist -c /etc/wazuh-dashboard/opensearch_dashboards.yml

Sep 18 13:12:36 sapt-wazhu opensearch-dashboards[1062]: {"type":"response","@timestamp":"2023-09-18T08:12:35Z","tags":[],"pid":1062,"method":"post","statusCode":200,"req":{"url":"/internal/search/opensearch","method":"post","headers":{">
Sep 18 13:12:36 sapt-wazhu opensearch-dashboards[1062]: {"type":"response","@timestamp":"2023-09-18T08:12:35Z","tags":[],"pid":1062,"method":"post","statusCode":200,"req":{"url":"/internal/search/opensearch","method":"post","headers":{">
Sep 18 13:12:36 sapt-wazhu opensearch-dashboards[1062]: {"type":"response","@timestamp":"2023-09-18T08:12:36Z","tags":[],"pid":1062,"method":"post","statusCode":200,"req":{"url":"/internal/search/opensearch","method":"post","headers":{">
Sep 18 13:12:36 sapt-wazhu opensearch-dashboards[1062]: {"type":"response","@timestamp":"2023-09-18T08:12:36Z","tags":[],"pid":1062,"method":"get","statusCode":200,"req":{"url":"/ui/default_branding/home.svg","method":"get","headers":{">
Sep 18 13:12:36 sapt-wazhu opensearch-dashboards[1062]: {"type":"response","@timestamp":"2023-09-18T08:12:36Z","tags":[],"pid":1062,"method":"get","statusCode":200,"req":{"url":"/elastic/samplealerts","method":"get","headers":{"host":"1>
Sep 18 13:12:36 sapt-wazhu opensearch-dashboards[1062]: {"type":"response","@timestamp":"2023-09-18T08:12:36Z","tags":[],"pid":1062,"method":"post","statusCode":200,"req":{"url":"/elastic/alerts","method":"post","headers":{"host":"10.10>
Sep 18 13:12:36 sapt-wazhu opensearch-dashboards[1062]: {"type":"response","@timestamp":"2023-09-18T08:12:36Z","tags":[],"pid":1062,"method":"post","statusCode":200,"req":{"url":"/elastic/alerts","method":"post","headers":{"host":"10.10>
Sep 18 13:12:36 sapt-wazhu opensearch-dashboards[1062]: {"type":"response","@timestamp":"2023-09-18T08:12:36Z","tags":[],"pid":1062,"method":"post","statusCode":200,"req":{"url":"/elastic/alerts","method":"post","headers":{"host":"10.10>
Sep 18 13:12:36 sapt-wazhu opensearch-dashboards[1062]: {"type":"response","@timestamp":"2023-09-18T08:12:36Z","tags":[],"pid":1062,"method":"post","statusCode":200,"req":{"url":"/elastic/alerts","method":"post","headers":{"host":"10.10>
Sep 19 05:00:02 sapt-wazhu opensearch-dashboards[1062]: {"type":"log","@timestamp":"2023-09-19T00:00:02Z","tags":["error","opensearch","data"],"pid":1062,"message":"[resource_already_exists_exception]: index [wazuh-statistics-2023.09.19>
[root@sapt-wazhu ~]#

Olusegun Adenrele Oyebo

unread,

Sep 22, 2023, 10:12:20 AM9/22/23

to Wazuh | Mailing List

Dear Muhammad,

Thanks for reaching out again.

Your ossec.conf file seems to look okay. Can you check your /var/ossec/logs/alerts/alerts.log file and confirm that alerts are generated and written in it.

Also run the below commands on your Wazuh environment:

curl https://<WAZUH_INDEXER_IP>:9200/_cat/indices/wazuh-alerts-* -u <wazuh_indexer_user>:<wazuh_indexer_password> -k

replace <WAZUH_INDEXER_IP> with the IP address of your Wazuh indexer, <wazuh_indexer_user> with wazuh indexer username and <wazuh_indexer_password> with the wazuh indexer user password. The above command is to check if there are alerts in the wazuh indexer.

filebeat test output
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
cat /var/log/filebeat/filebeat | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
journalctl -u wazuh-dashboard
cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log | grep -i -E "error|warn"

You can also look through this link for other troubleshooting steps.

Will be expecting your feedback so as to assist you further.

Best regards.

Muhammad Kamran

unread,

Oct 4, 2023, 1:46:34 AM10/4/23

to Wazuh | Mailing List

Hi

Thanks for guide and need more faveour. I have installed Wazuh-Manager Wazuh-Index and Wazuh-Dashboard. but how can I create or set the user of Index please guide me so that I will do it and check it. As you tell me that check Alert LOG. I have checked the one of my agent LOGs in Alert log but other steps I can not do because I have no user id and password of Index

Olusegun Adenrele Oyebo

unread,

Oct 5, 2023, 3:36:58 AM10/5/23

to Wazuh | Mailing List

Hello Muhammad,

Trust you're doing well.

The <wazuh_indexer_user> is replaced with your default admin user while your <wazuh_indexer_password> is replaced with your password. By default the password is also admin but for security reasons, we advice that you change the default password. You don't need to create another user to confirm that alerts are generated. Also please note that you're to run the command curl https://<WAZUH_INDEXER_IP>:9200/_cat/indices/wazuh-alerts-* -u <wazuh_indexer_user>:<wazuh_indexer_password> -k on your Wazuh server.

I hope this answers your question. Kindly reach out again if you have any other query.

Best regards.

Olusegun Adenrele Oyebo

unread,

Oct 19, 2023, 4:14:31 AM10/19/23

to Wazuh | Mailing List

Hello Muhammad,

Just checking up on this query to know if you'll still need further assistance.

Do not hesitate to reach out again if you still need any other thing.

Best regards

Reply all

Reply to author

Forward