Questions related to wazuh

[yari arcopinto]

Hello to all, 

I'm new with the wazuh and in general i'm new into SIEM world. I have some question. 

My intention was to use Wazuh for monitoring constantly an access.log. 

I have installed the agent on a server and i have set the path of the access.log. 

I have checked if the agent is sending correctly the logs, and i have found the event into /var/ossec/logs/archives/archives.log

"any->logcollector ossec: File rotated (inode changed): '/var/log/nginx/vetocl.access.log'."

Then i have set llogalI : yes , but i have see that the event generated from the log is not present into var/ossec/logs/archives/2023/may/ossec-archive-**.log

How i can know if the manager is receiving the logs? 

How i can display the logs in opensearch dashboard?

Thanks in advance for all your support

[Pacome Kemkeu]

Hello Yari,

1. How i can know if the manager is receiving the logs? 

You have to check that port 1514 is opened between the source device and Wazuh server. You can run the below tcpdump command on Wazuh manager, to be sure that events are being received by Wazuh:
# tcpdump -i any port 1514 host <IP_ADDRESS>

 
If the tcpdump command returns logs from your device, but no alerts on your Wazuh dashboard, you need to enable the Wazuh archives and create and index pattern to visualize the events.

2. How i can display the logs in opensearch dashboard?

As mentioned in my previous answer, you need to enable the Wazuh archives, create an index pattern and use the Discover tab to view all events.

- The first step is to enable the logging of all events, which can be done by changing the value of the parameters <logall> and/or <logall_json> to yes in the Wazuh server configuration file /var/ossec/etc/ossec.conf.

Note: Only the <logall_json>yes</logall_json> creates an index that can be used to visualize the events on the Wazuh dashboard. - Then, Restart the Wazuh manager to apply the configuration changes: # systemctl restart wazuh-manager

Depending on your chosen format, the file archives.log, archives.json, or both will be created in the /var/ossec/logs/archives/ directory on the Wazuh server. In order to view and query the events stored in the Wazuh archives, perform the following steps: On the Wazuh server: - Edit the Filebeat configuration file /etc/filebeat/filebeat.yml and change the value of archives: enabled from false to true. It should look as follows:

archives:

  enabled: true 

- Restart Filebeat service to apply the configuration changes: # systemctl restart filebeat

On the Wazuh Dashboard:
- Click the upper-left menu icon and navigate to Stack management -> Index patterns -> Create index pattern. Use wazuh-archives-* as the index pattern name, and set @timestamp in the Time field drop-down list and save. - To view the events, click the upper-left menu icon and navigate to Discover. Change the index pattern to wazuh-archives-*. This will allow you to have an overview of all events generated in your infrastructure, even those that did not trigger an alert.

I hope you find this helpful.

[yari arcopinto]

Hello  Pacome, 

I'm really greatfull for your explanation and help. 

I will try. 

Just a question, i haven't installed filebeat, i'm using the wazuh-agent. Should i replace it with filebeat, or i can install both on the same server? 

Regards,

[Pacome Kemkeu]

Hi Yari, there is no need to install Filebeat because all the steps I mentioned should be performed on the Wazuh server.

The Wazuh server comes along with Filebeat installed, which is used to send events and alerts to the Wazuh indexer.
Just perform the modifications I shared with you on your Wazuh server and restart the necessary services.

Do this and let me know how it goes.

[yari arcopinto]

Hi again, 

I were trying, but when i try to restart the service i got the following error message:

 wazuh-manager.service - LSB: Start and stop Wazuh
   Loaded: loaded (/etc/init.d/wazuh-manager; generated)
   Active: failed (Result: exit-code) since Tue 2023-05-16 14:28:06 CEST; 3min 59s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 30904 ExecStart=/etc/init.d/wazuh-manager start (code=exited, status=127)

Regards,

[yari arcopinto]

Sorry for the edit, this is the status.

When i launch the restart i got

Job for wazuh-manager.service failed because the control process exited with error code.
See "systemctl status wazuh-manager.service" and "journalctl -xe" for details.

[Pacome Kemkeu]

Looking at the logs will be useful to figure out what is wrong. Can you please provide the out put of the following commands:
# systemctl status wazuh-manager.service

# journalctl -xeu wazuh-manager.service

# cat <WAZUH_INTALL_DIR>/logs/ossec.log

[yari arcopinto]

1.  wazuh-manager.service - LSB: Start and stop Wazuh
      Loaded: loaded (/etc/init.d/wazuh-manager; generated)
   

1.    Active: failed (Result: exit-code) since Tue 2023-05-16 14:42:38 CEST; 12min ago
        Docs: man:systemd-sysv-generator(8)
     Process: 1365 ExecStart=/etc/init.d/wazuh-manager start (code=exited, status=127)
   
   May 16 14:42:38 CLO-DWH3 systemd[1]: Starting LSB: Start and stop Wazuh...
   May 16 14:42:38 CLO-DWH3 wazuh-manager[1365]: /etc/init.d/wazuh-manager: 25: /etc/init.d/wazuh-manager: /var/ossec/bin/wazuh-control: not found
   May 16 14:42:38 CLO-DWH3 systemd[1]: wazuh-manager.service: Control process exited, code=exited status=127
   May 16 14:42:38 CLO-DWH3 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
   May 16 14:42:38 CLO-DWH3 systemd[1]: Failed to start LSB: Start and stop Wazuh.

1. -- Unit wazuh-manager.service has failed.
   --
   -- The result is RESULT.
   May 16 14:26:00 CLO-DWH3 systemd[1]: Starting LSB: Start and stop Wazuh...
   -- Subject: Unit wazuh-manager.service has begun start-up
   -- Defined-By: systemd
   -- Support: http://www.ubuntu.com/support
   --
   -- Unit wazuh-manager.service has begun starting up.
   May 16 14:26:00 CLO-DWH3 wazuh-manager[30504]: /etc/init.d/wazuh-manager: 25: /etc/init.d/wazuh-manager: /var/ossec/bin/wazuh-control: not found
   May 16 14:26:00 CLO-DWH3 systemd[1]: wazuh-manager.service: Control process exited, code=exited status=127
   May 16 14:26:00 CLO-DWH3 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
   May 16 14:26:00 CLO-DWH3 systemd[1]: Failed to start LSB: Start and stop Wazuh.
   -- Subject: Unit wazuh-manager.service has failed
   -- Defined-By: systemd
   -- Support: http://www.ubuntu.com/support
   --
   -- Unit wazuh-manager.service has failed.
   --
   -- The result is RESULT.
   May 16 14:28:06 CLO-DWH3 systemd[1]: Starting LSB: Start and stop Wazuh...
   -- Subject: Unit wazuh-manager.service has begun start-up
   -- Defined-By: systemd
   -- Support: http://www.ubuntu.com/support
   --
   -- Unit wazuh-manager.service has begun starting up.
   May 16 14:28:06 CLO-DWH3 wazuh-manager[30904]: /etc/init.d/wazuh-manager: 25: /etc/init.d/wazuh-manager: /var/ossec/bin/wazuh-control: not found
   May 16 14:28:06 CLO-DWH3 systemd[1]: wazuh-manager.service: Control process exited, code=exited status=127
   May 16 14:28:06 CLO-DWH3 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
   May 16 14:28:06 CLO-DWH3 systemd[1]: Failed to start LSB: Start and stop Wazuh.
   -- Subject: Unit wazuh-manager.service has failed
   -- Defined-By: systemd
   -- Support: http://www.ubuntu.com/support
   --
   -- Unit wazuh-manager.service has failed.
   --
   -- The result is RESULT.
   May 16 14:38:08 CLO-DWH3 systemd[1]: Starting LSB: Start and stop Wazuh...
   -- Subject: Unit wazuh-manager.service has begun start-up
   -- Defined-By: systemd
   -- Support: http://www.ubuntu.com/support
   --
   -- Unit wazuh-manager.service has begun starting up.
   May 16 14:38:08 CLO-DWH3 wazuh-manager[32729]: /etc/init.d/wazuh-manager: 25: /etc/init.d/wazuh-manager: /var/ossec/bin/wazuh-control: not found
   May 16 14:38:08 CLO-DWH3 systemd[1]: wazuh-manager.service: Control process exited, code=exited status=127
   May 16 14:38:08 CLO-DWH3 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
   May 16 14:38:08 CLO-DWH3 systemd[1]: Failed to start LSB: Start and stop Wazuh.
   -- Subject: Unit wazuh-manager.service has failed
   -- Defined-By: systemd
   -- Support: http://www.ubuntu.com/support
   --
   -- Unit wazuh-manager.service has failed.
   --
   -- The result is RESULT.
   May 16 14:42:38 CLO-DWH3 systemd[1]: Starting LSB: Start and stop Wazuh...
   -- Subject: Unit wazuh-manager.service has begun start-up
   -- Defined-By: systemd
   -- Support: http://www.ubuntu.com/support
   --
   -- Unit wazuh-manager.service has begun starting up.
   May 16 14:42:38 CLO-DWH3 wazuh-manager[1365]: /etc/init.d/wazuh-manager: 25: /etc/init.d/wazuh-manager: /var/ossec/bin/wazuh-control: not found
   May 16 14:42:38 CLO-DWH3 systemd[1]: wazuh-manager.service: Control process exited, code=exited status=127
   May 16 14:42:38 CLO-DWH3 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
   May 16 14:42:38 CLO-DWH3 systemd[1]: Failed to start LSB: Start and stop Wazuh.
   -- Subject: Unit wazuh-manager.service has failed
   -- Defined-By: systemd
   -- Support: http://www.ubuntu.com/support
   --
   -- Unit wazuh-manager.service has failed.
   --
   -- The result is RESULT.
   

1. root@wazuh:/var/ossec/logs# cat ossec.log
   2023/05/16 00:00:10 wazuh-monitord: INFO: Starting new log after rotation.
   2023/05/16 00:10:02 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 00:10:04 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 01:10:05 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 01:10:06 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 02:10:07 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 02:10:09 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 03:05:34 sca: INFO: Starting Security Configuration Assessment scan.
   2023/05/16 03:05:34 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu20-04.yml'
   2023/05/16 03:05:39 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu20-04.yml'
   2023/05/16 03:05:39 sca: INFO: Security Configuration Assessment scan finished. Duration: 5 seconds.
   2023/05/16 03:05:42 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
   2023/05/16 03:05:42 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
   2023/05/16 03:07:47 rootcheck: INFO: Starting rootcheck scan.
   2023/05/16 03:08:01 rootcheck: INFO: Ending rootcheck scan.
   2023/05/16 03:10:10 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 03:10:11 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 04:10:12 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 04:10:14 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 05:10:15 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 05:10:16 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 06:10:17 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 06:10:19 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 07:10:20 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 07:10:22 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 08:10:22 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 08:10:24 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 09:10:25 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 09:10:27 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 10:10:28 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 10:10:29 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 11:10:30 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 11:10:32 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 12:10:33 wazuh-modulesd:syscollector: INFO: Starting evaluation.
   2023/05/16 12:10:34 wazuh-modulesd:syscollector: INFO: Evaluation finished.
   2023/05/16 12:56:06 wazuh-db: INFO: Created Global database backup "backup/db/global.db-backup-2023-05-16-12:56:06.gz"
   2023/05/16 12:56:06 wazuh-db: INFO: Deleted Global database backup: "backup/db/global.db-backup-2023-05-13-12:56:06.gz"
   

[yari arcopinto]

Hello again, 

Please don't consider this log. It's my mistake. I were trying to check the wazuh-manager status on a server, but actually i have it installed in a docker.

Bytheway, 

Launching the service wazuh-manger status i got this:

"wazuh-clusterd not running...
wazuh-modulesd is running...
wazuh-monitord is running...
wazuh-logcollector is running...
wazuh-remoted is running...
wazuh-syscheckd is running...
wazuh-analysisd is running...
wazuh-maild not running...
wazuh-execd is running...
wazuh-db is running...
wazuh-authd is running...
wazuh-agentlessd not running...
wazuh-integratord not running...
wazuh-dbd not running...
wazuh-csyslogd not running...
wazuh-apid is running..."

Then i have modify the filebeat.yml with 

# Wazuh - Filebeat configuration file
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: true

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch:
  hosts: ['https://wazuh.indexer:9200']
  username: 'admin'
  password: 'SecretPassword'
  ssl.verification_mode: 'full'
  ssl.certificate_authorities: ['/etc/ssl/root-ca.pem']
  ssl.certificate: '/etc/ssl/filebeat.pem'
  ssl.key: '/etc/ssl/filebeat.key'

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq

Then i have restart the service using service filebeat restart , but after a couple of second i got kicked out from the docker , and if i join in again and try to launch service filebeat status, the results is:

 * filebeat is not running

[Pacome Kemkeu]

Hello Yari,

before we jump into conclusions let's check in your filebeat host the following test:

# filebeat test output

We should also check  Filebeat logs for errors

Filebeat:

less /var/log/filebeat/filebeat.log | grep -i 'WARN\|ERROR'

And:

journalctl -u filebeat --no-pager | grep -i 'WARN|ERROR'

Also, filebeat config file may prove useful

/etc/filebeat/filebeat.yml

Kindly provide me with the above.

Waiting for your reply.

[yari arcopinto]

hello, 

filebeat test output:

elasticsearch: https://wazuh.indexer:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 172.20.0.3
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

running the command less /var/log/filebeat/filebeat.log | grep -i 'WARN\|ERROR'  in wazuh-manager i have no filebeat.log:

root@wazuh:/var/log/filebeat# ls
filebeat  filebeat.1  filebeat.2  filebeat.3  filebeat.4  filebeat.5  filebeat.6  filebeat.7

running the command journalctl -u filebeat --no-pager | grep -i 'WARN|ERROR' in wazuh-manager :

root@wazuh:/var/log/filebeat# journalctl -u filebeat --no-pager | grep -i 'WARN|ERROR'
bash: journalctl: command not found

looking the filebeat.yml

# Wazuh - Filebeat configuration file
filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: true

setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch:
  hosts: ['https://wazuh.indexer:9200']

  username: '*****'
  password: '*****'

  ssl.verification_mode: 'full'
  ssl.certificate_authorities: ['/etc/ssl/root-ca.pem']
  ssl.certificate: '/etc/ssl/filebeat.pem'
  ssl.key: '/etc/ssl/filebeat.key'

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:

    - rseq

Regards

[yari arcopinto]

Up

Ant update?