Integrating Seqrite with wazuh
102 views
Skip to first unread message
abhi
Sep 18, 2024, 5:11:41 AM9/18/24
to Wazuh | Mailing List
Hi Team,
I need some assistance in integrating seqrite with wazuh
Lamya Imam
Sep 18, 2024, 5:56:52 AM9/18/24
to Wazuh | Mailing List
Hi Abhi,
It seems you can forward logs from Seqrite to a remote syslog server.
Reference:
https://docs.seqrite.com/docs/eps-cloud-1-8/admin/siem-integration/
Wazuh server can collect logs via Syslog.
This would entail adding a block similar to the following to your ossec.conf file:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
The allowed-ips label is mandatory. The configuration will not take effect without it.
If you need a more detailed configuration, here is the documentation with all the parameters you can include in the remote block:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html
There is also the option to forward the logs to an agent and ingest the logs by using Rsyslog for Linux endpoints and Logstash for Windows endpoints. You can find more information on this in the documentation:
https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html
You can choose from these methods as per your needs.
Now check if those logs from the devices are properly forwarded to Wazuh.
For this, You can try the following steps:
To enable archives.json log, set the <logall_json>yes</logall_json> to yes at /var/ossec/etc/ossec.conf file of the Wazuh manager.
Documentation: Wazuh Documentation | logall
This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.json file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.json file.
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Look for if there are any logs inside the archive log which is relevant. Use grep parameters related to the log.
# cat /var/ossec/logs/archives/archives.json | grep Keyword
Test those logs using log-test to find out if logs are decoded by decoders and rules.
Check this document to get help with the logtest tool:
https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
If the logs are not tripped by decoders and rules you need to write custom rules for that
Check the document to get help with writing custom rules and decoders:
https://documentation.wazuh.com/current/user-manual/ruleset/index.html
Let me know the update on the issue.
It seems you can forward logs from Seqrite to a remote syslog server.
Reference:
https://docs.seqrite.com/docs/eps-cloud-1-8/admin/siem-integration/
Wazuh server can collect logs via Syslog.
This would entail adding a block similar to the following to your ossec.conf file:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
The allowed-ips label is mandatory. The configuration will not take effect without it.
If you need a more detailed configuration, here is the documentation with all the parameters you can include in the remote block:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html
There is also the option to forward the logs to an agent and ingest the logs by using Rsyslog for Linux endpoints and Logstash for Windows endpoints. You can find more information on this in the documentation:
https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html
You can choose from these methods as per your needs.
Now check if those logs from the devices are properly forwarded to Wazuh.
For this, You can try the following steps:
To enable archives.json log, set the <logall_json>yes</logall_json> to yes at /var/ossec/etc/ossec.conf file of the Wazuh manager.
Documentation: Wazuh Documentation | logall
This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.json file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.json file.
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Look for if there are any logs inside the archive log which is relevant. Use grep parameters related to the log.
# cat /var/ossec/logs/archives/archives.json | grep Keyword
Test those logs using log-test to find out if logs are decoded by decoders and rules.
Check this document to get help with the logtest tool:
https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
If the logs are not tripped by decoders and rules you need to write custom rules for that
Check the document to get help with writing custom rules and decoders:
https://documentation.wazuh.com/current/user-manual/ruleset/index.html
Let me know the update on the issue.
abhi
Sep 19, 2024, 2:29:57 AM9/19/24
to Wazuh | Mailing List
Okay Thank you Lamya.
I'm actually new to rule creation and when it comes decoders, Is it possible for you to assist me in rule and decoder creation for seqrite.
abhi
Sep 19, 2024, 4:58:37 AM9/19/24
to Wazuh | Mailing List
Hi Lamya,
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
The product seqrite is a cloud solution ,so on the below tags , how can i mention the IP, I do have the URL to access the seqrite console
<remote>
<connection>syslog</connection><port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
Lamya Imam
Sep 25, 2024, 3:44:21 AM9/25/24
to Wazuh | Mailing List
Hello abhi,
I would suggest you to use Rsyslog for this purpose.
At first you need to install Rsyslog in a Wazuh agent endpoint or Manager server.
Then follow the process from the documentation below:
https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
You may need to create custom decoders and rules for your logs. You can find how to create custom rules and decoders in our official documentation:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
I hope you find this helpful.
Let me know if you need further assistance here!
I would suggest you to use Rsyslog for this purpose.
At first you need to install Rsyslog in a Wazuh agent endpoint or Manager server.
Then follow the process from the documentation below:
https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
You may need to create custom decoders and rules for your logs. You can find how to create custom rules and decoders in our official documentation:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
I hope you find this helpful.
Let me know if you need further assistance here!
Reply all
Reply to author
Forward
0 new messages