Wazuh 3.12-Suricata-Filebeat Problem

[serano...@gmail.com]

Hi All

I've a Wazuh 3.12 Manager and i've recently configured a Owlh node to collect Suricata Logs.

Log are correctly visible on Kibana if i use this structure:

Wazuh - Filebeat - Logstash - Elastic - Kibana

Now, i want to remove logstash from the configuration, so i've edited filebeat outlput like this:

# Wazuh - Filebeat configuration file

filebeat.modules:

  - module: wazuh

    alerts:

      enabled: true

    archives:

      enabled: false

setup.template.json.enabled: true

setup.template.json.path: '/etc/filebeat/wazuh-template.json'

setup.template.json.name: 'wazuh'

setup.template.overwrite: true

setup.ilm.enabled: false

output.elasticsearch.hosts: ['http://127.0.0.1:9200']

Once i restart filebeat i can see all logs coming on kibana except for Suricata/owlh log.

What i'm doing wrong?

Have a nice day.

[Jose Antonio Izquierdo]

Hi 

With OwlH configuration if you want to ingest logs from Zeek you should have the OwlH - filebeat module installed check that doc https://documentation.owlh.net/en/0.17.0/main/OwlH-node-elk.html

About suricata, alerts should be present on wazuh alerts.json file. can you see suricata alerts in your /var/ossec/logs/alerts/alerts.json? 

If so, then should be ready in your kibana. 

I can see you are using filebeat. your flow I think did change, wazuh-filebeat-elastic-kibana logstash is not in the middle anymore. 

Do you have wazuh 3.12 version ? didn't it upgrade to 4.x version? with 4.x version in place you may have some OwlH dashboards issues. Please let us know if you are facing any issue about dashboards for suricata alerts

Thanks 

Jose

[Stefano Serano]

Hi Jose

Sorry for late reply, i was on holiday.

A little recap:

1- Logs from suricata node correctly arrived to Wazuh, i can see them on alert.json file using "tail command"

2- if i maintain this configuration: wazuh-filebeat-logstash-elastic-kibana i can see logs anywhere on kibana(Dashboard, Discover, Wazuh agent page.

3- if i change the configuration to:  wazuh-filebeat-elastic-kibana, i can still see the logs in the alert.json file, but they are not present in Kibana-----> I've discover the cause, but i don't know how to solve:

Before my try to remove logstash form configuration, i've tried to move all my custom filters from logstash configuration to wazuh filebeat pipeline, and here the problem: if i use the default wazuh pipeline all suricata logs come correctly to Kibana, if i try to configure my custom filters in the pipeline, all suricata logs(and i think even more others) stop coming to kibana.

May i ask you what i've miss in the pipeline configuration? i attach to this mail my custom pipeline.

Have a nice day.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/PcMzmskxEAg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/143b5415-8726-4136-83d7-495cf552d4a2n%40googlegroups.com.

[Jose Antonio Izquierdo]

Hi Stefano

I did use your pipeline, and I can find my suricata alerts in kibana as expected. It doesn't seems to be a pipeline issues. 

Any other possible reason? maybe time or any other filter? 

Thanks