No Data Displayed on Kibana- Policy Monitoring, System Auditing

[Prachi Katakwar]

Hi Team,

 

Firstly , thanks as always for helping out us.

Just 2 weeks back , I have installed wazuh infrastructure 3.12.2 version on a single server( CentOS 8 server) and installed agents in 2 windows machine( both are windows 2016 server).The communication between agent and Wazuh is ok:

Versions of components :

• wazuh - 3.12.2
• es_version - 7.6.2
• logstash version - 7.6.2
• Kibana - 7.6.2

My doubt is I am not able to see any data in Policy Monitoring, System Auditing .Is it fine or If I am missing something.

Actually I just want to be sure that the base of Wazuh is strong , before I start installing Wazuh agent on the machine.( 40- 50)

System Auditing

But , if I select the agent and click on SCA , I get the following result

 

But again now, If I select the agent on Click on Policy Monitoring , no data is reflected.

Please guide me.

 

Best Regards,

Prachi Katakwar

 

 

[Blason R]

Run poweshell.exe and this should fire some alerts. Or have to configured All logs in manager settings? By default this would flag only Alerts and not all the logs.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/DB8PR07MB6473C7D64DF3DBA1A71CCFF396AC0%40DB8PR07MB6473.eurprd07.prod.outlook.com.

[Prachi Katakwar]

HI Blason,

 

Thank you for responding, but I didn’t get you.

Where do I have to run powershell.exe?

Have to configured all logs in manager settings? Didn’t get you

 

Actually I am unable to see anything on Policy Monitoring. This is how my overview looks like.

Now , If I click on Policy Monitoring, nothing is displayed either on Policy Monitoring or System Auditing

Now , If I select any one of my Windows agent and click on Policy Monitoring, cant see any data:

Whereas, if I click on SCA with my agent selected, can see a graph of the agent.

 

 

Best Regards,

Prachi Katakwar

[prachi katakwar]

Can someone please help on this?

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/DB8PR07MB6473267B8FBF8BD9FE467E4296AC0%40DB8PR07MB6473.eurprd07.prod.outlook.com.

[Juan Carlos]

Hi Prachi,

The policy monitoring dashboard filters by the rootcheck group of rules.

All of the rules provided by default in the Wazuh ruleset for this group can be found here:

https://github.com/wazuh/wazuh-ruleset/blob/v3.12.2/rules/0015-ossec_rules.xml#L58-L140

Aside from the detection of system anomalies (rootkits and trojans), vulnerable web applications and malware, in that dashboard you may see the result of Windows Audit events.

As Blason mentions, a valid use for this is to be monitoring the usage of some software in Windows, for example PowerShell. 

You may for example on the manager the /var/ossec/etc/shared/default/win_applications_rcl.txt file to include at the end:

[PowerShell {PCI_DSS: 10.6.1}] [any] []
p:powershell.exe;

This will monitor to see if there powershell process is running.

By default this will trigger rule 514, which has a level 2:

In order to visualize this you may either change the rule's level (for example, as shown here), create a special rule for the applications you wish to monitor or lower the <log_alert_level> value at the beginning of your Wazuh manager's configuration file.

You may also enable the windows audit policy checks on rootcheck by adding     <windows_audit>./shared/win_audit_rcl.txt</windows_audit> to the <rootcheck> section of your agent's configuration.

If your system fails any of the checks provided there you should see visualizations like this:

It is worth mentioning however that since Wazuh version 3.9.0 the SCA module provides the capabilities of the Rootcheck module and its policies are more actively maintained.

I hope this helps,

Juan Carlos Tello

[Prachi Katakwar]

Hi Juan,

 

You are really great and techie.

 

It worked for me, Below is the data now displayed on Policy Monitoring but now again  the issue is if I expand the time range to last 24 hours then only could see the data .If I shorter my time range to 15 mins, 30 mins or 1 hour then no data is displayed. Is there a problem with Elasticsearch? As I got this error also in error.png for some time only while I was changing the time range

 

 

Time Range expanded to last 24hours

 

I have done the following changes:

 

• You may for example on the manager the /var/ossec/etc/shared/default/win_applications_rcl.txt file to include at the end:

[PowerShell {PCI_DSS: 10.6.1}] [any] []
p:powershell.exe;

 

• You may also enable the windows audit policy checks on rootcheck by adding     <windows_audit>./shared/win_audit_rcl.txt</windows_audit> to the <rootcheck> section of your agent's configuration

 

Best Regards,

Prachi Katakwar

 

 

 

 

From: wa...@googlegroups.com <wa...@googlegroups.com> On Behalf Of Juan Carlos
Sent: den 28 april 2020 21:01
To: Wazuh mailing list <wa...@googlegroups.com>
Subject: Re: No Data Displayed on Kibana- Policy Monitoring, System Auditing

 

Hi Prachi,

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/24141932-e4d9-4001-9791-bfcfead6066a%40googlegroups.com.

[Blason R]

Hi Prachi,

What exactly the use case you are trying to address to?

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/DB8PR07MB6473395BFEA2A6DB3887F2BB96AD0%40DB8PR07MB6473.eurprd07.prod.outlook.com.

[Prachi Katakwar]

Hi Blason,

 

I am extremely new to Wazuh and linux systems, just few days back I have done the setup following the documentation and installed agents on 2 windows machines.

 

Just want to make sure that my set up is all good ,Wazuh, Elasticsearch , logstash and Kibana all should be running fine.

 

I should be able to see the visualizations , graphics at each of the tabs.(Security Events, File Intergrity, Policy Monitoring as well as Regulatory compliance)

 

Since I was not able to see data in Policy Monitoring ,System Auditing , I opened the thread and now its like for shorter time range(15mins, 30mins, 1 hour) the data is not displaying on Policy Monitoring and If I expand the time range the data is displayed.

 

So I am bit confused whether my set up so far is working or not?

 

Are you able to understand my doubts Blazon?

 

Best Regards,

Prachi Katakwar

 

From: Blason R <blas...@gmail.com>

Sent: den 29 april 2020 12:19
To: Prachi Katakwar <prachi....@ericsson.com>

[Blason R]

Well by default only when the rule is hit it will reflect in Wazuh app and not all the data.

In order to see all the logs fat Elastic, you should replace every level 0 alert by a higher or equal value than 3. You can do it by just running the next command:

This is I done with sysmon for logging all the traffic.

sed -i 's/level="0"/level="3"/g' /var/ossec/ruleset/rules/0595-win-sysmon_rules.xml

Refer to this

https://documentation.wazuh.com/3.8/user-manual/reference/ossec-conf/global.html#logall

 

[Prachi Katakwar]

Hi Blazon/Juan,

 

Thank you for the response.

 

In order to see all the logs fat Elastic, you should replace every level 0 alert by a higher or equal value than 3. You can do it by just running the next command:

This I can do in ossec.conf as well, by setting the log alert level to 0.

 

Please help me to clear my understanding for the following:

 

• Security Events on Kibana App are displayed continuously irrespective of time stamp, As soon as the Wazuh agent is installed , the security events will start showing the rule id hits for that agent by default.
• Integrity Monitoring works on rule checks (Syscheck), we need to create rules.
• Policy Monitoring works on rule checks ( like the powershell one we did in the morning, and since now no rule is hit so no data is displayed), it’s like we need to create rules.
• System audit again it seems works on rule checks, we need to create rules.
• Then comes Regulatory Compliance( PCI DSS, GDPR, HIPAA, NIIST 800-53) here also the data is displayed continuously irrespective of time stamp by default
• Threat detection and response again works on rules, that is we need to create rules then only the data is displayed when the rule is hit.

 

Is my understanding correct or wrong , please guide and suggest.

 

Actually this is what I can understand from the Kibana dashboard after installing Wazuh agent on windows server.This is how my dashboard is responding.

[Juan Carlos]

Hi Prachi,

To answer your initial question, yes, it is OK to have a dashboard with no events if you are not using the feature that will generate events in that category.

Changing the default rules' levels is not recommended.

Judging from your screenshots your Wazuh installation is working correctly.

Let us know if you have any other questions,

Best Regards,

Juan Carlos Tello

[prachi katakwar]

Please help me on this to clear the understanding 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/DB8PR07MB6473A90EE4041E379D2685EE96AD0%40DB8PR07MB6473.eurprd07.prod.outlook.com.

[Prachi Katakwar]

Hi Juan,

 

GoodMorning.

 

It is so nice to see your email , saying Wazuh installation is working correctly.

 

Thank you for the guidance and support.

 

As of now , you have cleared my doubts related to dashboard and events and I will continue with my automatic script of Wazuh agent installation.

 

Thanks a ton to you.

 

Best Regards,

Prachi Katakwar

 

 

 

From: wa...@googlegroups.com <wa...@googlegroups.com> On Behalf Of Juan Carlos
Sent: den 29 april 2020 22:36
To: Wazuh mailing list <wa...@googlegroups.com>
Subject: Re: No Data Displayed on Kibana- Policy Monitoring, System Auditing

 

Hi Prachi,

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/79cfba1d-25e6-4aed-9738-d75f919fee1b%40googlegroups.com.