Forwarding specific events

[Tom Powers]

Hello,

If I have a series of Wazuh servers at my branch offices, and the teams using them are responsible for their own office, everything is fine and has been working great. What I would like to now do is to setup a wazuh at the main office here, and forward events from the remote offices that are Alert level 12 and higher to the main office.

Ideally all the regular information stays at the branch office servers, but only the higher alerts come to main office for review.

We monitor Windows machines so all; events are windows eventchannel . 

How would one begin to look at forwarding the events and what mechanism would we use to receive the events on the Main office side?

All insight is appreciated

Tom P

[Damian Nicastro]

Hello  thomas.powers7558:

I hope you are fine.

I am testing an alternative to do this. Are the wazuh managers in the branch offices independent with each other? Which wazuh manager versions do you have?
# /var/ossec/bin/wazuh-control info
# cat /var/ossec/etc/ossec-init.conf

Thanks 

[Tom Powers]

Everything is 4.3... fresh built in the last couple months

[Tom Powers]

And yes... right now they are all independent stand alone units, with the agents from their location feeding the local Wazuh server

On Wednesday, August 3, 2022 at 3:53:57 PM UTC-5 damian....@wazuh.com wrote:

[Tom Powers]

Specifically:

WAZUH_VERSION="v4.3.0"
WAZUH_REVISION="40310"
WAZUH_TYPE="server"

And /var/ossec/etc/ossec-init.conf doesnt exist    ossec.conf does though

On Wednesday, August 3, 2022 at 3:53:57 PM UTC-5 damian....@wazuh.com wrote:

[Damian Nicastro]

Hi @ thomas.powers7558

I hope you are fine.

As you mentioned the file /var/ossec/etc/ossec-init.conf does not exist from version 4.2.0.

Let me investigate your request and I will be back to you as soon as possible.

Thanks

[Damian Nicastro]

Hi @ thomas.powers7558

I hope you are fine.

I have been testing with several methods and I was not able to achieve what you need with the tools existent in the Wazuh suite.

I recommend you to create a script that reads the /var/ossec/logs/alerts/alerts.json file on each of the servers, extracts only the alerts with rule.level>=10 and writes the result to a file:

You can take the scripts used in this documentation as reference:

How to integrate external software using Integrator · Wazuh · The Open Source Security Platform

Once you have your script ready, you can schedule to run it every cetain time adding a "wodle" section like this to each wazuh manager:

# vi /var/ossec/etc/ossec.conf

...

<wodle name="command">
  <tag>groups-inventory</tag>
  <disabled>no</disabled>
  <command></path/to/script/>high_alerts.py  <arguments></command>
  <interval>30m</interval>
  <ignore_output>yes</ignore_output>
  <run_on_start>yes</run_on_start>
  <timeout>0</timeout>
</wodle>

And restart your Wazuh-managers:

# systemctl restart wazuh-manager

Once you have this in place, you can create a second "filebeat" service in each of your Wazuh managers to read and insert alerts from the output file of your script to the remote Elasticsearch in your central office:

1- Stop Filebeat service :
# systemctl stop filebeat

2- Create the new service file "/usr/lib/systemd/system/filebeat2.service" and add :
[Unit]
Description=filebeat2
Documentation=https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Wants=network-online.target
After=network-online.target
[Service]
ExecStart=/usr/share/filebeat/bin/filebeat -c /etc/filebeat2/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat2 -path.data /var/lib/filebeat2 -path.logs /var/log/filebeat/filebeat2
Restart=always
[Install]
WantedBy=multi-user.target

3- Create the folder /etc/filebeat2 and copy all the configuration files from /etc/filebeat :
cp -rp /etc/filebeat/* /etc/filebeat2/

4- Create the folder /usr/share/filebeat2 and copy all the files from /usr/share/filebeat:

cp -rp /usr/share/filebeat/* /usr/share/filebeat2/

5- Configure the IP of the remote Elastisearch in /etc/filebeat2/filebeat.yml:

# vi /etc/filebeat2/filebeat.yml

...

# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:
        - <remote_ES_IP>:9200
#        - <elasticsearch_ip_node_2>:9200
#        - <elasticsearch_ip_node_3>:9200

...

6- Configure the file this new filebeat will read:

# vi /usr/share/filebeat/module/wazuh/alerts/manifest.yml

module_version: 0.1

var:
  - name: paths
    default:
      - </path/to/>high_alerts_output.json
  - name: index_prefix
    default: wazuh-alerts-4.x-

input: config/alerts.yml

ingest_pipeline: ingest/pipeline.json

...

7- Remove all the cetificates copied in /etc/filebeat2/certs and replace them with the remote manager filebeat certificates.

# scp -rf <remote_wazuh_manager_ip>/etc/filebeat/certs/* /etc/filebeat2/certs/

8- Reload and restart Filebeat :
# systemctl daemon-reload
# systemctl restart filebeat
# systemctl restart filebeat2

This must be done in each Wazuh manager of the branch offices.

I hope this helps.

Thanks