Cylance logs parsed in wazuh
344 views
Skip to first unread message
Aravind Krishnan
Sep 17, 2019, 2:56:54 AM9/17/19
to Wazuh mailing list
Hello
--
I have requirement to parse Cylance audit logs in Wazuh and it's been shown in Elastic search.
After going through some blogs, I understood, we need to forward the Audit logs to Wazuh using Syslog.
What are the configurations needed in Wazuh for processing the Cylance logs?
Regards,
Aravind Krishnan
Aravind Krishnan
Blason R
Sep 17, 2019, 2:58:12 AM9/17/19
to Aravind Krishnan, Wazuh mailing list
I believe you need to write the decoder if those are not in JSON format. Recent version have recently started supporting JSON format.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CACW3duC7bFnj%2BwOX-Pu2qViVpLjFpXKkCrWG3GCoQehHrYAfLg%40mail.gmail.com.
Juan Pablo Saez
Sep 17, 2019, 6:31:10 AM9/17/19
to Wazuh mailing list
Hi Aravind,
After going through some blogs, I understood, we need to forward the Audit logs to Wazuh using Syslog.
That's right, firstly, you should configure Cylance to forward Syslog events to Wazuh.
Then, you should configure the Wazuh manager to receive Syslog messages. The further block must be included in the local configuration(/var/ossec/etc/ossec.conf):
<remote> <connection>syslog</connection> <port>514</port>
<protocol>udp</protocol> <allowed-ips>0.0.0.0/0</allowed-ips> </remote>Once the Cylance events are shipping correctly to the Wazuh manager, they have to be decoded and checked against our ruleset. While our ruleset has decoders and rules for non-JSON Cylance events, it is much simpler if the event's format is JSON, as Blason stated.
Please let me know if it helps. You can count on us to help you configure the log reception and the possible ruleset issues.
Greetings, Juan Pablo Sáez
El martes, 17 de septiembre de 2019, 8:58:12 (UTC+2), Blason R escribió:
I believe you need to write the decoder if those are not in JSON format. Recent version have recently started supporting JSON format.
On Tue, Sep 17, 2019 at 12:26 PM Aravind Krishnan <krishnan...@gmail.com> wrote:
Hello--I have requirement to parse Cylance audit logs in Wazuh and it's been shown in Elastic search.After going through some blogs, I understood, we need to forward the Audit logs to Wazuh using Syslog.What are the configurations needed in Wazuh for processing the Cylance logs?--Regards,
Aravind Krishnan
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Aravind Krishnan
Sep 27, 2019, 2:46:23 AM9/27/19
to Juan Pablo Saez, Wazuh mailing list
Thank you :)
We are following this to implement in our environment.
Regards,
Aravind
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CACW3duC7bFnj%2BwOX-Pu2qViVpLjFpXKkCrWG3GCoQehHrYAfLg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5ec4f9c7-864c-44b3-824a-d2c81b4c064e%40googlegroups.com.
Regards,
Aravind Krishnan
Aravind Krishnan
Juan Pablo Saez
Sep 27, 2019, 3:25:28 AM9/27/19
to Wazuh mailing list
Hi Aravind,
Happy to help. Let us know if you need some guidance.
Greetings, JP Sáez
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CACW3duC7bFnj%2BwOX-Pu2qViVpLjFpXKkCrWG3GCoQehHrYAfLg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5ec4f9c7-864c-44b3-824a-d2c81b4c064e%40googlegroups.com.
--Regards,
Aravind Krishnan
Reply all
Reply to author
Forward
0 new messages