How to integrate Cowdstrike with wazuh

34 views
Skip to first unread message

Operation Consultant

unread,
Dec 1, 2022, 12:39:08 PM12/1/22
to Wazuh mailing list
How to integrate Cowdstrike with wazuh

Anthony Faruna

unread,
Dec 1, 2022, 1:07:08 PM12/1/22
to Operation Consultant, Wazuh mailing list
Hello,

Thank you for using Wazuh

The main configuration from Wazuh perspective is collecting the logs from the crowdstrike file (assuming the location is /var/log/crowdstrike/falconhoseclient/output ) using :
  <localfile>
    <log_format>multi-line-regex</log_format>
    <location>/var/log/crowdstrike/falconhoseclient/output</location>
    <multiline_regex replace="wspace">^{</multiline_regex>
  </localfile>
Then you might need to create custom decoders/rules similar to the ones mentioned in https://github.com/wazuh/wazuh/issues/8129#issuecomment-997102106 if the format of the received logs is different.

I hope this answers your question

Best Regards

On Thu, Dec 1, 2022 at 6:39 PM Operation Consultant <operation.c...@gmail.com> wrote:
How to integrate Cowdstrike with wazuh

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9fbbc804-7016-4975-999f-110d1a93cbe3n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages