events stop showing
98 views
Skip to first unread message
Milan Patel
Mar 22, 2023, 4:05:57 PM3/22/23
to Wazuh mailing list
Hello,
I have all in one wazuh deployment with ELK on prem.
Version that I have installed :
elasticsearch=7.17.6
wazuh : 4.3.10
filebeat= 8.6.2
wazuh : 4.3.10
filebeat= 8.6.2
I am receiving events on wazuh server : /var/ossec/logs/archives/2023/Mar/ossec-archive-22.log
Log looks like this :
2023 Mar 22 15:42:34 (centos-ansible-test) any->/var/log/httpd/vhostalsoworkslocal/access_log_vhostalsoworkslocal.2023.03.16 10.0.249.240 - - [22/Mar/2023:15:42:13 -0400] "GET /milan.php HTTP/1.1" 404 207
The log test also works fine the result is :
root@wazuhtest:/var/ossec/logs/archives/2023/Mar# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line
2023 Mar 22 15:42:34 (centos-ansible-test) any->/var/log/httpd/vhostalsoworkslocal/access_log_vhostalsoworkslocal.2023.03.16 10.0.249.240 - - [22/Mar/2023:15:42:13 -0400] "GET /milan.php HTTP/1.1" 404 207
**Phase 1: Completed pre-decoding.
full event: '2023 Mar 22 15:42:34 (centos-ansible-test) any->/var/log/httpd/vhostalsoworkslocal/access_log_vhostalsoworkslocal.2023.03.16 10.0.249.240 - - [22/Mar/2023:15:42:13 -0400] "GET /milan.php HTTP/1.1" 404 207'
timestamp: '2023 Mar 22 15:42:34'
**Phase 2: Completed decoding.
name: 'web-accesslog'
parent: 'web-accesslog'
id: '404'
protocol: 'GET'
srcip: '10.0.249.240'
srcip2: 'any->/var/log/httpd/vhostalsoworkslocal/access_log_vhostalsoworkslocal.2023.03.16'
url: '/milan.php'
**Phase 3: Completed filtering (rules).
id: '31101'
level: '5'
description: 'Web server 400 error code.'
groups: '['web', 'accesslog', 'attack']'
firedtimes: '1'
gdpr: '['IV_35.7.d']'
mail: 'False'
nist_800_53: '['SA.11', 'SI.4']'
pci_dss: '['6.5', '11.4']'
tsc: '['CC6.6', 'CC7.1', 'CC8.1', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
Still I am not able to see any events on wazuh GUI.
Can some one please help me with this?
Thanks
Roman Luna
Mar 22, 2023, 4:36:35 PM3/22/23
to Wazuh mailing list
Hi,
There could be an issue indexing the following alert which would be a reason for it not to be shown in the dashboard.
There are two things that we can look into:
Can you share the log for elasticsearch?
Also, did you check if the event is in the alerts.json?
Regards.
Milan Patel
Mar 22, 2023, 6:19:47 PM3/22/23
to Wazuh mailing list
Here are the logs,
1. elasticsearch logs
[2023-03-22T18:15:19,151][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:48106}
[2023-03-22T18:15:19,796][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:48118}
[2023-03-22T18:15:24,157][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:54732}
[2023-03-22T18:15:24,801][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:54736}
[2023-03-22T18:15:29,161][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:54750}
[2023-03-22T18:15:29,806][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:54762}
[2023-03-22T18:15:34,165][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:50144}
[2023-03-22T18:15:34,811][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:50150}
[2023-03-22T18:15:39,170][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:50160}
[2023-03-22T18:15:39,816][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:50174}
[2023-03-22T18:15:44,177][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:42084}
[2023-03-22T18:15:44,823][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:42092}
[2023-03-22T18:15:49,180][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:42096}
[2023-03-22T18:15:49,826][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:42110}
[2023-03-22T18:15:54,207][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:35720}
[2023-03-22T18:15:54,831][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:35728}
[2023-03-22T18:15:59,211][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:35734}
[2023-03-22T18:15:59,836][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:35742}
[2023-03-22T18:16:04,216][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elasticsearch] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:36550}
2. alerts.json
pwd: /var/ossec/logs/alerts
{"timestamp":"2023-03-22T16:41:25.749-0400","rule":{"level":2,"description":"Unknown problem somewhere in the system.","id":"1002","firedtimes":2524,"mail":false,"groups":["syslog","errors"],"gpg13":["4.3"]},"agent":{"id":"000","name":"wazuhtest"},"manager":{"name":"wazuhtest"},"id":"1679517685.4757557","full_log":"Mar 22 16:41:25 wazuhtest logstash[941]: [2023-03-22T16:41:25,670][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error {:url=>\"http://localhost:9200/\", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>\"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::ClientProtocolException] localhost:9200 failed to respond\"}","predecoder":{"program_name":"logstash","timestamp":"Mar 22 16:41:25","hostname":"wazuhtest"},"decoder":{},"location":"/var/log/syslog"}
{"timestamp":"2023-03-22T16:41:39.258-0400","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":1,"mail":false,"groups":["ossec","rootcheck"],"pci_dss":["10.6.1"],"gdpr":["IV_35.7.d"]},"agent":{"id":"000","name":"wazuhtest"},"manager":{"name":"wazuhtest"},"id":"1679517699.4758166","full_log":"File '/etc/elastiflow/ca/ca.crt' is owned by root and has written permissions to anyone.","decoder":{"name":"rootcheck"},"data":{"title":"File is owned by root and has written permissions to anyone.","file":"/etc/elastiflow/ca/ca.crt"},"location":"rootcheck"}
{"timestamp":"2023-03-22T16:41:40.952-0400","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuhtest"},"manager":{"name":"wazuhtest"},"id":"1679517700.4758549","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 879/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 879/systemd-resolve\ntcp 0.0.0.0:443 0.0.0.0:* 1096/node\ntcp 0.0.0.0:514 0.0.0.0:* 921/rsyslogd\ntcp6 :::514 :::* 921/rsyslogd\nudp 0.0.0.0:514 0.0.0.0:* 921/rsyslogd\nudp6 :::514 :::* 921/rsyslogd\ntcp 127.0.0.1:631 0.0.0.0:* 28055/cupsd\ntcp6 ::1:631 :::* 28055/cupsd\nudp 0.0.0.0:631 0.0.0.0:* 28057/cups-browsed\ntcp 0.0.0.0:1514 0.0.0.0:* 77497/wazuh-remoted\nudp 0.0.0.0:1514 0.0.0.0:* 77497/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 77411/wazuh-authd\ntcp6 :::5044 :::* 941/java\nudp 0.0.0.0:5353 0.0.0.0:* 907/avahi-daemon\nudp6 :::5353 :::* 907/avahi-daemon\ntcp 127.0.0.1:6010 0.0.0.0:* 8814/sshd\ntcp6 ::1:6010 :::* 8814/sshd\ntcp 127.0.0.1:6011 0.0.0.0:* 47627/sshd\ntcp6 ::1:6011 :::* 47627/sshd\ntcp6 :::8080 :::* 1052/flowcoll\ntcp6 127.0.0.1:9200 :::* 48335/java\ntcp6 127.0.0.1:9300 :::* 48335/java\ntcp6 127.0.0.1:9600 :::* 941/java\nudp6 :::9995 :::* 1052/flowcoll\nudp 0.0.0.0:35374 0.0.0.0:* 907/avahi-daemon\nudp6 :::49337 :::* 907/avahi-daemon\ntcp 0.0.0.0:55000 0.0.0.0:* 77369/python3","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 879/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 879/systemd-resolve\ntcp 0.0.0.0:443 0.0.0.0:* 1096/node\ntcp 0.0.0.0:514 0.0.0.0:* 921/rsyslogd\ntcp6 :::514 :::* 921/rsyslogd\nudp 0.0.0.0:514 0.0.0.0:* 921/rsyslogd\nudp6 :::514 :::* 921/rsyslogd\ntcp 127.0.0.1:631 0.0.0.0:* 28055/cupsd\ntcp6 ::1:631 :::* 28055/cupsd\nudp 0.0.0.0:631 0.0.0.0:* 28057/cups-browsed\ntcp 0.0.0.0:1514 0.0.0.0:* 81575/wazuh-remoted\nudp 0.0.0.0:1514 0.0.0.0:* 81575/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 81401/wazuh-authd\ntcp6 :::5044 :::* 941/java\nudp 0.0.0.0:5353 0.0.0.0:* 907/avahi-daemon\nudp6 :::5353 :::* 907/avahi-daemon\ntcp 127.0.0.1:6010 0.0.0.0:* 8814/sshd\ntcp6 ::1:6010 :::* 8814/sshd\ntcp 127.0.0.1:6011 0.0.0.0:* 47627/sshd\ntcp6 ::1:6011 :::* 47627/sshd\ntcp6 :::8080 :::* 1052/flowcoll\ntcp6 127.0.0.1:9200 :::* 48335/java\ntcp6 127.0.0.1:9300 :::* 48335/java\ntcp6 127.0.0.1:9600 :::* 941/java\nudp6 :::9995 :::* 1052/flowcoll\nudp 0.0.0.0:35374 0.0.0.0:* 907/avahi-daemon\nudp6 :::49337 :::* 907/avahi-daemon","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 879/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 879/systemd-resolve\ntcp 0.0.0.0:443 0.0.0.0:* 1096/node\ntcp 0.0.0.0:514 0.0.0.0:* 921/rsyslogd\ntcp6 :::514 :::* 921/rsyslogd\nudp 0.0.0.0:514 0.0.0.0:* 921/rsyslogd\nudp6 :::514 :::* 921/rsyslogd\ntcp 127.0.0.1:631 0.0.0.0:* 28055/cupsd\ntcp6 ::1:631 :::* 28055/cupsd\nudp 0.0.0.0:631 0.0.0.0:* 28057/cups-browsed\ntcp 0.0.0.0:1514 0.0.0.0:* 77497/wazuh-remoted\nudp 0.0.0.0:1514 0.0.0.0:* 77497/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 77411/wazuh-authd\ntcp6 :::5044 :::* 941/java\nudp 0.0.0.0:5353 0.0.0.0:* 907/avahi-daemon\nudp6 :::5353 :::* 907/avahi-daemon\ntcp 127.0.0.1:6010 0.0.0.0:* 8814/sshd\ntcp6 ::1:6010 :::* 8814/sshd\ntcp 127.0.0.1:6011 0.0.0.0:* 47627/sshd\ntcp6 ::1:6011 :::* 47627/sshd\ntcp6 :::8080 :::* 1052/flowcoll\ntcp6 127.0.0.1:9200 :::* 48335/java\ntcp6 127.0.0.1:9300 :::* 48335/java\ntcp6 127.0.0.1:9600 :::* 941/java\nudp6 :::9995 :::* 1052/flowcoll\nudp 0.0.0.0:35374 0.0.0.0:* 907/avahi-daemon\nudp6 :::49337 :::* 907/avahi-daemon\ntcp 0.0.0.0:55000 0.0.0.0:* 77369/python3","location":"netstat listening ports"}
{"timestamp":"2023-03-22T16:41:49.617-0400","rule":{"level":3,"description":"Ossec server started.","id":"502","firedtimes":1,"mail":false,"groups":["ossec"],"pci_dss":["10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuhtest"},"manager":{"name":"wazuhtest"},"id":"1679517709.4761158","full_log":"ossec: Ossec started.","decoder":{"name":"ossec"},"location":"wazuh-monitord"}
{"timestamp":"2023-03-22T16:47:41.430-0400","rule":{"level":7,"description":"Listened ports status (netstat) changed (new port opened or closed).","id":"533","firedtimes":2,"mail":false,"groups":["ossec"],"pci_dss":["10.2.7","10.6.1"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AU.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuhtest"},"manager":{"name":"wazuhtest"},"id":"1679518061.4761407","previous_output":"Previous output:\nossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 879/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 879/systemd-resolve\ntcp 0.0.0.0:443 0.0.0.0:* 1096/node\ntcp 0.0.0.0:514 0.0.0.0:* 921/rsyslogd\ntcp6 :::514 :::* 921/rsyslogd\nudp 0.0.0.0:514 0.0.0.0:* 921/rsyslogd\nudp6 :::514 :::* 921/rsyslogd\ntcp 127.0.0.1:631 0.0.0.0:* 28055/cupsd\ntcp6 ::1:631 :::* 28055/cupsd\nudp 0.0.0.0:631 0.0.0.0:* 28057/cups-browsed\ntcp 0.0.0.0:1514 0.0.0.0:* 81575/wazuh-remoted\nudp 0.0.0.0:1514 0.0.0.0:* 81575/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 81401/wazuh-authd\ntcp6 :::5044 :::* 941/java\nudp 0.0.0.0:5353 0.0.0.0:* 907/avahi-daemon\nudp6 :::5353 :::* 907/avahi-daemon\ntcp 127.0.0.1:6010 0.0.0.0:* 8814/sshd\ntcp6 ::1:6010 :::* 8814/sshd\ntcp 127.0.0.1:6011 0.0.0.0:* 47627/sshd\ntcp6 ::1:6011 :::* 47627/sshd\ntcp6 :::8080 :::* 1052/flowcoll\ntcp6 127.0.0.1:9200 :::* 48335/java\ntcp6 127.0.0.1:9300 :::* 48335/java\ntcp6 127.0.0.1:9600 :::* 941/java\nudp6 :::9995 :::* 1052/flowcoll\nudp 0.0.0.0:35374 0.0.0.0:* 907/avahi-daemon\nudp6 :::49337 :::* 907/avahi-daemon","full_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 879/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 879/systemd-resolve\ntcp 0.0.0.0:443 0.0.0.0:* 1096/node\ntcp 0.0.0.0:514 0.0.0.0:* 921/rsyslogd\ntcp6 :::514 :::* 921/rsyslogd\nudp 0.0.0.0:514 0.0.0.0:* 921/rsyslogd\nudp6 :::514 :::* 921/rsyslogd\ntcp 127.0.0.1:631 0.0.0.0:* 28055/cupsd\ntcp6 ::1:631 :::* 28055/cupsd\nudp 0.0.0.0:631 0.0.0.0:* 28057/cups-browsed\ntcp 0.0.0.0:1514 0.0.0.0:* 81575/wazuh-remoted\nudp 0.0.0.0:1514 0.0.0.0:* 81575/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 81401/wazuh-authd\ntcp6 :::5044 :::* 941/java\nudp 0.0.0.0:5353 0.0.0.0:* 907/avahi-daemon\nudp6 :::5353 :::* 907/avahi-daemon\ntcp 127.0.0.1:6010 0.0.0.0:* 8814/sshd\ntcp6 ::1:6010 :::* 8814/sshd\ntcp 127.0.0.1:6011 0.0.0.0:* 47627/sshd\ntcp6 ::1:6011 :::* 47627/sshd\ntcp6 :::8080 :::* 1052/flowcoll\ntcp6 127.0.0.1:9200 :::* 48335/java\ntcp6 127.0.0.1:9300 :::* 48335/java\ntcp6 127.0.0.1:9600 :::* 941/java\nudp6 :::9995 :::* 1052/flowcoll\nudp 0.0.0.0:35374 0.0.0.0:* 907/avahi-daemon\nudp6 :::49337 :::* 907/avahi-daemon\ntcp 0.0.0.0:55000 0.0.0.0:* 81359/python3","decoder":{"name":"ossec"},"previous_log":"ossec: output: 'netstat listening ports':\ntcp 0.0.0.0:22 0.0.0.0:* /usr\ntcp6 :::22 :::* /usr\ntcp 127.0.0.53:53 0.0.0.0:* 879/systemd-resolve\nudp 127.0.0.53:53 0.0.0.0:* 879/systemd-resolve\ntcp 0.0.0.0:443 0.0.0.0:* 1096/node\ntcp 0.0.0.0:514 0.0.0.0:* 921/rsyslogd\ntcp6 :::514 :::* 921/rsyslogd\nudp 0.0.0.0:514 0.0.0.0:* 921/rsyslogd\nudp6 :::514 :::* 921/rsyslogd\ntcp 127.0.0.1:631 0.0.0.0:* 28055/cupsd\ntcp6 ::1:631 :::* 28055/cupsd\nudp 0.0.0.0:631 0.0.0.0:* 28057/cups-browsed\ntcp 0.0.0.0:1514 0.0.0.0:* 81575/wazuh-remoted\nudp 0.0.0.0:1514 0.0.0.0:* 81575/wazuh-remoted\ntcp 0.0.0.0:1515 0.0.0.0:* 81401/wazuh-authd\ntcp6 :::5044 :::* 941/java\nudp 0.0.0.0:5353 0.0.0.0:* 907/avahi-daemon\nudp6 :::5353 :::* 907/avahi-daemon\ntcp 127.0.0.1:6010 0.0.0.0:* 8814/sshd\ntcp6 ::1:6010 :::* 8814/sshd\ntcp 127.0.0.1:6011 0.0.0.0:* 47627/sshd\ntcp6 ::1:6011 :::* 47627/sshd\ntcp6 :::8080 :::* 1052/flowcoll\ntcp6 127.0.0.1:9200 :::* 48335/java\ntcp6 127.0.0.1:9300 :::* 48335/java\ntcp6 127.0.0.1:9600 :::* 941/java\nudp6 :::9995 :::* 1052/flowcoll\nudp 0.0.0.0:35374 0.0.0.0:* 907/avahi-daemon\nudp6 :::49337 :::* 907/avahi-daemon","location":"netstat listening ports"}
{"timestamp":"2023-03-22T17:05:30.913-0400","rule":{"level":4,"description":"OpenVPN: Connection Certificate Failed","id":"81803","mitre":{"id":["T1133"],"tactic":["Persistence","Initial Access"],"technique":["External Remote Services"]},"firedtimes":1,"mail":false,"groups":["openvpn","openvpn-error"],"gdpr":["IV_35.7.d"]},"agent":{"id":"000","name":"wazuhtest"},"manager":{"name":"wazuhtest"},"id":"1679519130.4764016","full_log":"Mar 22 17:05:30 securityfw.localdomain openvpn[28667]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]185.200.116.37:35619","predecoder":{"program_name":"openvpn","timestamp":"Mar 22 17:05:30","hostname":"securityfw.localdomain"},"decoder":{"parent":"openvpn","name":"openvpn"},"data":{"srcip":"185.200.116.37","srcport":"35619"},"location":"/var/log/syslog"}
Here I have attached few alerts/logs.
Please let me know if you need anything else.
Thanks
Milan
Roman Luna
Jul 28, 2023, 10:03:11 AM7/28/23
to Wazuh mailing list
Hi,
Sorry for the late response, the logs that you have shared does not seem to show the problem resulting in not showing the alert in the dashboard.
Do you any other alerts that are at least level 3 and up? That can be set in the ossec.conf, here is the default:
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
Also, it is important to note if you enough space in the ES to index the alerts. You can also check if you can see the alerts in the discover tab from the dashboard, instead of the Wazuh app to compare.
You can check additional logs from ES to see if any alert failed to indexed (which would result in not seeing the alerts in the dashboard):
grep -i -E "error|warn" /var/log/wazuh-indexer/wazuh-indexer-cluster.log
and
cat /var/log/filebeat/filebeat
Regards.
Reply all
Reply to author
Forward
0 new messages