Data exfiltration
170 views
Skip to first unread message
Paul Robertson
Feb 6, 2020, 3:09:22 PM2/6/20
to Wazuh mailing list
I have a small box, let’s call it gateway. I would like gateway to collect logs from devices at a site with limited bandwidth and use Filebeat to exfiltrate the data. What’s the best way to get the data onto the box? Can I put a copy of Filebeat on my primary log server, then have Filebeat on the gateway save that to a file? Is it better to have Logstash on the gateway catch the file, then add metadata, and then can I export that data again via Filebeat?
[Filebeat-on-server]->[Logstash-onGateway]->[filebeat-on-gateway]->[Wazuh-cluster]
Jesus Linares
Feb 10, 2020, 3:13:36 PM2/10/20
to Wazuh mailing list
Hi Paul,
I would recommend:
- Log server: Filebeat
- Gateway server: Logstash
So, your events are collected in the log server by Filebeat. Then, they are forwarded to Logstash. Here, using the Logstash syslog output plugin the events are forwarded to the Wazuh manager, which is listening for syslog inputs.
In summary: [Filebeat-log_server] -> [Logstash-gateway] -> [Wazuh (syslog input)].
In addition, if you want to use custom templates in syslog, you could use rsyslog in the Wazuh server, and read the output as a local file: [Filebeat-log_server] -> [Logstash-gateway] -> [rsyslog -> events.log <- Wazuh (localfile)].
I hope it helps.
Regards.
Paul Robertson
Feb 11, 2020, 11:27:51 AM2/11/20
to Jesus Linares, Wazuh mailing list
Hi Jesus,
Is [filebeat:log_server]->[logstash:gateway]->[filebeat:gateway]->[????] possible? I’m not confident of gateway-> Wazuh connectivity, and Filebeat looks like a good solution for that, but I’m unclear if I can just go from there to Logstash on the Wazuh host, or if I need to do something to integrate with Wazuh for alerts, or if Wazuh-agent can handle outages and low bandwidth connections?
Thanks,
Paul
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/49f08945-5f9a-415d-9fc4-6cb428705d04%40googlegroups.com.
Jesus Linares
Feb 12, 2020, 4:59:05 AM2/12/20
to Wazuh mailing list
Hi Paul,
Logstash -> Filebeat seems not possible since there is no Logstash output plugin for that purpose: https://www.elastic.co/guide/en/logstash/current/output-plugins.html. And, Filebeat doesn't have a syslog output plugin (https://www.elastic.co/guide/en/beats/filebeat/current/configuring-output.html).
I’m not confident of gateway-> Wazuh connectivity, and Filebeat looks like a good solution
Why are you considering Filebeat a better solution? Do you want to store the logs in a file in the gateway server just in case there are connectivity issues?
If this is your case, you could use 2 Logstash pipelines:
- Write the events to disk: [Filebeat-log_server] -> [Logstash_1-gateway -> File].
- Forward the events from disk to Wazuh: [File -> Logstash_2-gateway] -> [Wazuh (syslog input)].
Another option could be using a proxy and directly Wazuh agents:
- [log_server <- Wazuh agent] -> [Proxy] -> [Wazuh]
I hope it helps.
Regards.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Paul Robertson
Feb 12, 2020, 5:01:20 PM2/12/20
to Jesus Linares, Wazuh mailing list
Hi Jesus,
I’m mostly worried about low bandwidth, high latency connections as well as regular loss of connectivity. That means storing the files on the gateway is a necessary practice, and I’d also like to add metadata. My understanding was Filebeat was good for low bandwidth exfiltratilon.
Does Logstash2->Wazuh handle this ok, or is [logserver:filebeat]~>[gateway file]->[gatrway:Filebeat]->Logstash make sense?
Thank you,
Paul
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/49f08945-5f9a-415d-9fc4-6cb428705d04%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/64d80f62-23f4-4289-9587-498f69afa260%40googlegroups.com.
Jesus Linares
Feb 13, 2020, 8:20:42 AM2/13/20
to Wazuh mailing list
Hi Paul,
If storing the files in the gateway is a requirement, I recommend the configuration that I explained in the previous post:
- Forward the events from your log server (using filebeat) to the gateway (using Logstash) and write them to a file: [Filebeat-log_server] -> [Logstash_1-gateway -> File].
- At this moment, you will have all the events from your log servers stored in a file in the gateway.
- Forward them to Wazuh using Logstash: [File -> Logstash_2-gateway] -> [Wazuh (syslog input)].
Please, note that if you change the original event, maybe you will need to adapt the decoders/rules:
Decoders and rules are created for the raw event. For example:
Dec 20 23:17:35 bilbo sshd[16645]: Failed password for op from 172.17.58.45 port 1673 ssh2
If filebeat or syslog add headers, the decoders will not work, since the decoders are not created to match the headers (red part):
<filebeat fields> <syslog fields> Dec 20 23:17:35 bilbo sshd[16645]: Failed password for op from 172.17.58.45 port 1673 ssh2
This probably will not happen if you use JSON events.
I would try an NGINX gateway for your agents. They will not use too much bandwidth and the agent is able to handle the loss of connectivity.
Regards.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/49f08945-5f9a-415d-9fc4-6cb428705d04%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Paul Robertson
Feb 13, 2020, 2:27:17 PM2/13/20
to Jesus Linares, Wazuh mailing list
Thank you Jesus, I’ll give that a try!
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/49f08945-5f9a-415d-9fc4-6cb428705d04%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/64d80f62-23f4-4289-9587-498f69afa260%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/428b18d3-05c6-4c3f-acfc-2e173aa69e9e%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages