How to integrate Cowdstrike with wazuh

606 views

Skip to first unread message

Operation Consultant

unread,

Dec 1, 2022, 12:39:08 PM12/1/22

to Wazuh mailing list

How to integrate Cowdstrike with wazuh

Anthony Faruna

unread,

Dec 1, 2022, 1:07:08 PM12/1/22

to Operation Consultant, Wazuh mailing list

Hello,

Thank you for using Wazuh

The main configuration from Wazuh perspective is collecting the logs from the crowdstrike file (assuming the location is /var/log/crowdstrike/falconhoseclient/output ) using :

  <localfile>
    <log_format>multi-line-regex</log_format>
    <location>/var/log/crowdstrike/falconhoseclient/output</location>
    <multiline_regex replace="wspace">^{</multiline_regex>
  </localfile>

Then you might need to create custom decoders/rules similar to the ones mentioned in https://github.com/wazuh/wazuh/issues/8129#issuecomment-997102106 if the format of the received logs is different.

I hope this answers your question

Best Regards

On Thu, Dec 1, 2022 at 6:39 PM Operation Consultant <operation.c...@gmail.com> wrote:

How to integrate Cowdstrike with wazuh

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9fbbc804-7016-4975-999f-110d1a93cbe3n%40googlegroups.com.

Reply all

Reply to author

Forward

0 new messages