Hi @ thomas.powers7558
I hope you are fine.
I have been testing with several methods and I was not able to achieve what you need with the tools existent in the Wazuh suite.
I recommend you to create a script that reads the /var/ossec/logs/alerts/alerts.json file on each of the servers, extracts only the alerts with rule.level>=10 and writes the result to a file:
You can take the scripts used in this documentation as reference:
Once you have your script ready, you can schedule to run it every cetain time adding a "wodle" section like this to each wazuh manager:
# vi /var/ossec/etc/ossec.conf
...
<wodle name="command">
<tag>groups-inventory</tag>
<disabled>no</disabled>
<command></path/to/script/>high_alerts.py <arguments></command>
<interval>30m</interval>
<ignore_output>yes</ignore_output>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>
And restart your Wazuh-managers:
# systemctl restart wazuh-manager
Once you have this in place, you can create a second "filebeat" service in each of your Wazuh managers to read and insert alerts from the output file of your script to the remote Elasticsearch in your central office:
1- Stop Filebeat service :
# systemctl stop filebeat
2- Create the new service file
"/usr/lib/systemd/system/filebeat2.service" and add :
[Unit]
Description=filebeat2
Documentation=https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Wants=network-online.target
After=network-online.target
[Service]
ExecStart=/usr/share/filebeat/bin/filebeat -c /etc/filebeat2/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat2 -path.data /var/lib/filebeat2 -path.logs /var/log/filebeat/filebeat2
Restart=always
[Install]
WantedBy=multi-user.target
3- Create the folder /etc/filebeat2 and copy all the configuration files from /etc/filebeat :
cp -rp /etc/filebeat/* /etc/filebeat2/
4- Create the folder /usr/share/filebeat2 and copy all the files from /usr/share/filebeat:
cp -rp /usr/share/filebeat/* /usr/share/filebeat2/
5- Configure the IP of the remote Elastisearch in /etc/filebeat2/filebeat.yml:
# vi /etc/filebeat2/filebeat.yml
...
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:
- <remote_ES_IP>:9200
# - <elasticsearch_ip_node_2>:9200
# - <elasticsearch_ip_node_3>:9200
...
6- Configure the file this new filebeat will read:
# vi /usr/share/filebeat/module/wazuh/alerts/manifest.yml
module_version: 0.1
var:
- name: paths
default:
- </path/to/>high_alerts_output.json
- name: index_prefix
default: wazuh-alerts-4.x-
input: config/alerts.yml
ingest_pipeline: ingest/pipeline.json
...
7- Remove all the cetificates copied in /etc/filebeat2/certs and replace them with the remote manager filebeat certificates.
# scp -rf <remote_wazuh_manager_ip>/etc/filebeat/certs/* /etc/filebeat2/certs/
8- Reload and restart Filebeat :
# systemctl daemon-reload
# systemctl restart filebeat
# systemctl restart filebeat2
This must be done in each Wazuh manager of the branch offices.
I hope this helps.
Thanks