Defining Agent ID, Agent Name to Agentless devices.
Namdev Pawar
victor....@wazuh.com
Namdev Pawar
Namdev
Hi All,
I have able to collect the log in /var/ossec/logs/archives/archives.json
{"timestamp":"2021-08-17T09:56:55.856+0530","agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1629174415.950112","full_log":"<45>49: 10.100.5.130: *Aug 17 03:47:45.319: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up","decoder":{},"location":"10.100.5.130"}
{"timestamp":"2021-08-17T10:03:53.831+0530","agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1629174833.980711","full_log":"<46>50: 10.100.5.130: *Aug 17 03:54:43.291: %SRE_SM-6-STATE_CHANGE: ISM0/0 changing state from SERVICE_MODULE_STATE_WREG to SERVICE_MODULE_STATE_STDY","decoder":{},"location":"10.100.5.130"}
{"timestamp":"2021-08-17T09:56:33.580+0530","agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1629174393.945787","full_log":"<46>43: 10.100.5.130: *Aug 17 03:47:23.043: %PNP-6-PNP_DISCOVERY_STOPPED: PnP Discovery stopped (Startup Config Present)","decoder":{},"location":"10.100.5.130"}
{"timestamp":"2021-08-17T09:56:51.205+0530","agent":{"id":"000","name":"localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1629174411.945787","full_log":"<45>44: 10.100.5.130: *Aug 17 03:47:41.291: %DSPRM-5-UPDOWN: DSP 1 in slot 0, changed state to up","decoder":{},"location":"10.100.5.130"}
But not showing in Kibana (Discovery)
Please suggest
Sent from Mail for Windows
From: Namdev Pawar
Sent: 13 August 2021 15:36
To: Wazuh mailing list
Subject: Re: Defining Agent ID, Agent Name to Agentless devices.
Hi Victor Rebollo,
I am unable to find "Location" in filter please guide me. Also I have one more query is that how to downloads the logs in CSV/Excel format. How many days we can stored the logs in Server or it can be automatically removed from the server after particular duration.
On Friday, August 6, 2021 at 12:10:49 PM UTC+5:30 victor....@wazuh.com wrote:
Hello namdev,
Only agents have identifications and names. For network devices, like your router, I recommend you filter by location field. I share with you a screenshot of the Kibana > Events menu with the location field filtered. The used alert is triggered using the basic custom rule defined in this documentation page https://documentation.wazuh.com/current/user-manual/ruleset/custom.html. In this case, this event was sent to the manager using remote syslog https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog.
Location value corresponds to the IP of the device that sends that event, in my case 172.17.1.1.
Also, to see your events in Kibana, take in mind that by default, only alerts are indexed to elasticsearch. If you have activated the logall option, all your events will be stored by your manager at your archives.log file, but they will only generate alerts if there are defined rules for them.
If you don't know if there are rules for your events, try to gather some events from your router and use wazuh-logtest to check if they trigger some events https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html
If you have any doubt don't hesitate to ask.
On Thursday, August 5, 2021 at 10:48:17 AM UTC+2 namdev....@gmail.com wrote:
Hi,
Can any one tell me how to define Agent id and Agent Name to Agentless Device. As I am a new in Wazuh, I don't know how to do it. As I have Installed Wazuh server as testing purpose in my environment and still testing is going on. I have added Cisco Router 2911 in wazuh server. also I get logs in /var/ossec/logs/archives/archives.log. But Its still not reflecting in GUI mode.
Please help.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ff36405d-a745-4df7-a653-3734d949606fn%40googlegroups.com.
victor....@wazuh.com
If you enable the logall option, you will store every event that your Wazuh manager gather. These events are stored in your archives.log/archives.json file and, in case they trigger any of the defined rules, an alert will be generated and registered at your alert.json/alert.log file.
However, Kibana interface, by default, only display triggered alerts, not events, so, in order to display those you should consider defining rules for them.
To filter by location field you need to write on the search bar the following:
location:<device-ip>
Where device-ip is the desired IP you want to filter.
Regarding your other questions:
- Downloads alert in CSV/Excel
If you want to download a set of alerts in CSV format you should follow these steps:
- Go to Kibana>Discover
- Filter desired alerts, in my case by location field.
- Save the search
- Generate report in CSV
- Logs removal
If you have any doubt do not hesitate to ask
Namdev Pawar
victor....@wazuh.com
Wazuh, by default, has defined Cisco decoders and rules. For example, we are going to use the following event:
*Aug 20 12:40:47.103: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
[root@centos-manager1 vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.1.5
Type one log per line
*Aug 20 12:40:47.103: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
full event: '*Aug 20 12:40:47.103: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up'
**Phase 2: Completed decoding.
No decoder matched.
It looks that defined Cisco decoders do not apply to your events. The reason for that is because your events have the following format:
*Aug 20 12:40:47.103:
*Aug 20 12:40:47:
This can be solved adding to your /var/ossec/etc/decoders/local_decoder.xml file the following:
<decoder name="cisco-ios">
<prematch>^\p*\w+\s+\d*\s+\d+:\d+:\d+.\d+:\s+%</prematch>
</decoder>
<decoder name="cisco-ios-default">
<parent>cisco-ios</parent>
<regex>(%\w+-\d-\w+):</regex>
<order>id</order>
</decoder>
This add support for your Cisco messages changing default \d+:\d+:\d+:\s+ by \d+:\d+:\d+.\d+:\s+. Then, restart your wazuh-manager.
If we use wazuh-logtest again we get the following:
[root@centos-manager1 vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.1.5
Type one log per line
*Aug 20 12:40:47.103: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
full event: '*Aug 20 12:40:47.103: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up'
**Phase 2: Completed decoding.
name: 'cisco-ios'
id: '%LINK-3-UPDOWN'
**Phase 3: Completed filtering (rules).
id: '4713'
level: '4'
description: 'Cisco IOS error message.'
groups: '['syslog', 'cisco_ios']'
firedtimes: '1'
gpg13: '['3.5']'
mail: 'False'
**Alert to be generated.
Namdev
Thanks a Lot...........Victor Rebollo
I had to get this set done as you suggested in /var/ossec/etc/decoders/local_decoder.xml
and run the /var/ossec/bin/wazuh-logtest
getting the result successfully as below.
Starting wazuh-logtest v4.1.5
Type one log per line
2021 Aug 26 11:17:17 localhost->10.100.5.130 <43>55: 10.100.5.130: *Aug 26 05:07:56.115: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
**Phase 1: Completed pre-decoding.
full event: '2021 Aug 26 11:17:17 localhost->10.100.5.130 <43>55: 10.100.5.130: *Aug 26 05:07:56.115: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up'
timestamp: '2021 Aug 26 11:17:17'
**Phase 2: Completed decoding.
name: 'cisco-ios'
0: '%LINK-3-UPDOWN'
cisco.facility: 'LINK'
cisco.mnemonic: 'UPDOWN'
cisco.severity: '3'
**Phase 3: Completed filtering (rules).
id: '4700'
level: '0'
description: 'Grouping of Cisco IOS rules.'
groups: '['syslog', 'cisco_ios']'
firedtimes: '1'
mail: 'False'
But still, I don't get the logs in Kibana/Discover - "Location" filter
Please do suggest
Sent from Mail for Windows
From: Namdev Pawar
Sent: 20 August 2021 19:42
To: Wazuh mailing list
Subject: Re: Defining Agent ID, Agent Name to Agentless devices.
Hi Victor,
- Save the search
- Generate report in CSV
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2c5f56f7-449f-4d8c-8021-573d056fb17dn%40googlegroups.com.
victor....@wazuh.com
Please use only this message at logtest running:
*Aug 20 12:40:47.103: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
Using that event, the rule 4713 should trigger.
In order to check if your network device is generating alerts search in your manager /var/ossec/logs/alerts/alerts.log by your network device IP, like the following:
egrep -A 3 -B 1 "<network-device-ip>" /var/ossec/logs/alerts/alerts.log
You should see something similar to this:
** Alert 1630073195.14954: - syslog,cisco_ios,gpg13_3.5,
2021 Aug 27 14:06:35 centos-manager-kibana->172.17.1.1
Rule: 4713 (level 4) -> 'Cisco IOS error message.'
*Aug 20 12:40:47.103: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
Namdev
Dear Victor Rebollo,
Please find the below snapshot as still I’m not able to getting output as you told in earlier mail.
Also the logs are not coming in /var/ossec/logs/alerts/alerts.log as per my router IP.
Please Let me know there is something is missing in configuration of ruleset and decoder.
o Go to Kibana>Discover
o Filter desired alerts, in my case by location field.
o Save the search
o Generate report in CSV
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/84ca27b0-ed21-40b6-bc6e-6fa2f7bcd295n%40googlegroups.com.
Namdev Pawar
Juan Carlos
Namdev Pawar
Juan Carlos Tello
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/09d696ae-d98e-45e1-bb3d-cdbd09a42143n%40googlegroups.com.