How to integrate Wazuh with TheHive.
1,376 views
Skip to first unread message
obaid.s...@gmail.com
Apr 20, 2022, 2:49:39 AM4/20/22
to Wazuh mailing list
Hi,
How do I integrate Wazuh with TheHive.
Wazuh version: 4.2
TheHive version: 4.1.15-1
Cortex version: 3.1.3-1
I have updated ossec.conf file in /var/ossec/etc/ossec.conf file with the following entries and restart Wazuh-Manager service.
<integration>
<name>custom-w2thive</name>
<hook_url>http://192.168.18.110:9000</hook_url>
<api_key>3j4RuuZnZKqUoyl84VJd2+i3cFDOPwyd</api_key>
<alert_format>json</alert_format>
</integration>
but wazuh arent sending any alert logs to TheHive.
Regards,
John Adewale Olatunde
Apr 20, 2022, 6:48:43 AM4/20/22
to Wazuh mailing list
Hi,
We have an article about integrating wazuh with the hive here
However, if you've followed this step and you still run into issues, kindly share your ossec.log and integrations.log file, these can be found in /var/ossec/logs
Regards,
obaid.s...@gmail.com
Apr 21, 2022, 2:03:20 AM4/21/22
to Wazuh mailing list
Hi Joh,
Thanks for contacting back. integration.log is empty but ossec.log file have the following entries.
2022/04/21 05:21:43 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 05:29:43 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/04/21 05:29:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/04/21 05:45:29 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 05:45:29 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 05:45:29 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 05:46:26 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 05:46:26 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 05:46:26 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 05:46:36 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 05:46:36 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 05:46:36 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 05:46:36 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 05:46:36 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 05:46:36 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 05:46:37 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 05:46:37 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 05:46:37 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 06:00:17 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 06:00:17 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 06:00:17 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 06:00:17 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 06:00:17 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 06:00:17 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 06:01:04 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 06:01:04 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 06:01:04 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 06:01:10 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 06:01:10 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 06:01:10 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 06:01:10 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 06:01:10 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 06:01:10 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 06:01:11 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 06:01:11 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 06:01:11 wazuh-integratord: ERROR: Exit status was: 1
root@siem:/var/ossec/logs#
2022/04/21 05:29:43 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/04/21 05:29:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/04/21 05:45:29 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 05:45:29 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 05:45:29 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 05:46:26 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 05:46:26 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 05:46:26 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 05:46:36 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 05:46:36 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 05:46:36 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 05:46:36 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 05:46:36 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 05:46:36 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 05:46:37 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 05:46:37 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 05:46:37 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 06:00:17 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 06:00:17 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 06:00:17 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 06:00:17 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 06:00:17 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 06:00:17 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 06:01:04 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 06:01:04 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 06:01:04 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 06:01:10 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 06:01:10 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 06:01:10 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 06:01:10 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 06:01:10 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 06:01:10 wazuh-integratord: ERROR: Exit status was: 1
2022/04/21 06:01:11 wazuh-integratord: ERROR: Unable to run integration for custom-w2thive -> integrations
2022/04/21 06:01:11 wazuh-integratord: ERROR: While running custom-w2thive -> integrations. Output: SyntaxError: invalid non-printable character U+00A0
2022/04/21 06:01:11 wazuh-integratord: ERROR: Exit status was: 1
root@siem:/var/ossec/logs#
John Adewale Olatunde
Apr 21, 2022, 4:31:01 AM4/21/22
to Wazuh mailing list
Hi
You got this error due to the space in the copied code not being the same as the format in Python. I'll suggest you manually highlight the code with your mouse instead of using the copy feature included on the page. Please let me know if this works.
Best Regards.
obaid.s...@gmail.com
Apr 21, 2022, 5:43:01 AM4/21/22
to Wazuh mailing list
Hello Again,
This time i can see some magic in the log files..
/var/ossec/logs/ossec.log
2022/04/21 09:25:11 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2022/04/21 09:25:11 wazuh-modulesd:syscollector: INFO: Module finished.
2022/04/21 09:25:11 wazuh-monitord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:12 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:12 wazuh-remoted: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:12 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:12 wazuh-analysisd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:12 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2022/04/21 09:25:12 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:12 wazuh-db: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:13 wazuh-authd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:14 wazuh-authd: INFO: Exiting...
2022/04/21 09:25:14 wazuh-integratord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:25 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit.
2022/04/21 09:25:25 wazuh-dbd: INFO: Database not configured. Clean exit.
2022/04/21 09:25:25 wazuh-integratord: INFO: Started (pid: 60044).
2022/04/21 09:25:25 wazuh-integratord: INFO: Enabling integration for: 'custom-w2thive'.
2022/04/21 09:25:25 wazuh-agentlessd: INFO: Not configured. Exiting.
2022/04/21 09:25:25 wazuh-authd: INFO: Started (pid: 60065).
2022/04/21 09:25:25 wazuh-authd: INFO: Accepting connections on port 1515. No password required.
2022/04/21 09:25:25 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.
2022/04/21 09:25:26 wazuh-db: INFO: Started (pid: 60082).
2022/04/21 09:25:27 wazuh-execd: INFO: Started (pid: 60107).
2022/04/21 09:25:28 wazuh-analysisd: INFO: Total rules enabled: '3882'
2022/04/21 09:25:28 wazuh-analysisd: INFO: Started (pid: 60121).
2022/04/21 09:25:28 wazuh-analysisd: INFO: (7200): Logtest started
2022/04/21 09:25:29 wazuh-syscheckd: INFO: Started (pid: 60183).
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | ha
_sha1 | hash_sha256 | scheduled'.
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | h
h_sha1 | hash_sha256 | scheduled'.
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | ha
_sha1 | hash_sha256 | scheduled'.
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | h
h_sha1 | hash_sha256 | scheduled'.
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5
hash_sha1 | hash_sha256 | scheduled'.
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5
hash_sha1 | hash_sha256 | scheduled'.
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6000): Starting daemon...
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2022/04/21 09:25:29 rootcheck: INFO: Starting rootcheck scan.
2022/04/21 09:25:30 wazuh-remoted: INFO: Started (pid: 60200). Listening on port 1514/TCP (secure).
2022/04/21 09:25:30 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2022/04/21 09:25:31 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2022/04/21 09:25:31 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit
]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/
| sed 1,2d
2022/04/21 09:25:31 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2022/04/21 09:25:31 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2022/04/21 09:25:31 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'.
2022/04/21 09:25:31 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'.
2022/04/21 09:25:31 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2022/04/21 09:25:31 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'.
2022/04/21 09:25:31 wazuh-logcollector: INFO: Started (pid: 60231).
2022/04/21 09:25:32 wazuh-monitord: INFO: Started (pid: 60267).
2022/04/21 09:25:32 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/04/21 09:25:33 wazuh-modulesd: INFO: Started (pid: 60318).
2022/04/21 09:25:33 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/04/21 09:25:33 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/04/21 09:25:33 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/04/21 09:25:33 wazuh-modulesd:control: INFO: Starting control thread.
2022/04/21 09:25:33 sca: INFO: Module started.
2022/04/21 09:25:33 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/04/21 09:25:33 sca: INFO: Starting Security Configuration Assessment scan.
2022/04/21 09:25:33 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2022/04/21 09:25:33 wazuh-modulesd:database: INFO: Module started.
2022/04/21 09:25:33 wazuh-modulesd:download: INFO: Module started.
2022/04/21 09:25:33 wazuh-modulesd:syscollector: INFO: Module started.
2022/04/21 09:25:33 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/04/21 09:25:33 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/04/21 09:25:33 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/04/21 09:25:53 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/04/21 09:25:53 sca: INFO: Security Configuration Assessment scan finished. Duration: 20 seconds.
2022/04/21 09:26:15 rootcheck: INFO: Ending rootcheck scan.
root@siem:/var/ossec/logs#
2022/04/21 09:25:11 wazuh-modulesd:syscollector: INFO: Module finished.
2022/04/21 09:25:11 wazuh-monitord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:12 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:12 wazuh-remoted: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:12 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:12 wazuh-analysisd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:12 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses.
2022/04/21 09:25:12 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:12 wazuh-db: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:13 wazuh-authd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:14 wazuh-authd: INFO: Exiting...
2022/04/21 09:25:14 wazuh-integratord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2022/04/21 09:25:25 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit.
2022/04/21 09:25:25 wazuh-dbd: INFO: Database not configured. Clean exit.
2022/04/21 09:25:25 wazuh-integratord: INFO: Started (pid: 60044).
2022/04/21 09:25:25 wazuh-integratord: INFO: Enabling integration for: 'custom-w2thive'.
2022/04/21 09:25:25 wazuh-agentlessd: INFO: Not configured. Exiting.
2022/04/21 09:25:25 wazuh-authd: INFO: Started (pid: 60065).
2022/04/21 09:25:25 wazuh-authd: INFO: Accepting connections on port 1515. No password required.
2022/04/21 09:25:25 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.
2022/04/21 09:25:26 wazuh-db: INFO: Started (pid: 60082).
2022/04/21 09:25:27 wazuh-execd: INFO: Started (pid: 60107).
2022/04/21 09:25:28 wazuh-analysisd: INFO: Total rules enabled: '3882'
2022/04/21 09:25:28 wazuh-analysisd: INFO: Started (pid: 60121).
2022/04/21 09:25:28 wazuh-analysisd: INFO: (7200): Logtest started
2022/04/21 09:25:29 wazuh-syscheckd: INFO: Started (pid: 60183).
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | ha
_sha1 | hash_sha256 | scheduled'.
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | h
h_sha1 | hash_sha256 | scheduled'.
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | ha
_sha1 | hash_sha256 | scheduled'.
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | h
h_sha1 | hash_sha256 | scheduled'.
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5
hash_sha1 | hash_sha256 | scheduled'.
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5
hash_sha1 | hash_sha256 | scheduled'.
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key'
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6000): Starting daemon...
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2022/04/21 09:25:29 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started.
2022/04/21 09:25:29 rootcheck: INFO: Starting rootcheck scan.
2022/04/21 09:25:30 wazuh-remoted: INFO: Started (pid: 60200). Listening on port 1514/TCP (secure).
2022/04/21 09:25:30 wazuh-remoted: INFO: (1410): Reading authentication keys file.
2022/04/21 09:25:31 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2022/04/21 09:25:31 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit
]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/
| sed 1,2d
2022/04/21 09:25:31 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2022/04/21 09:25:31 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2022/04/21 09:25:31 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'.
2022/04/21 09:25:31 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'.
2022/04/21 09:25:31 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2022/04/21 09:25:31 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'.
2022/04/21 09:25:31 wazuh-logcollector: INFO: Started (pid: 60231).
2022/04/21 09:25:32 wazuh-monitord: INFO: Started (pid: 60267).
2022/04/21 09:25:32 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/04/21 09:25:33 wazuh-modulesd: INFO: Started (pid: 60318).
2022/04/21 09:25:33 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2022/04/21 09:25:33 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2022/04/21 09:25:33 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2022/04/21 09:25:33 wazuh-modulesd:control: INFO: Starting control thread.
2022/04/21 09:25:33 sca: INFO: Module started.
2022/04/21 09:25:33 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/04/21 09:25:33 sca: INFO: Starting Security Configuration Assessment scan.
2022/04/21 09:25:33 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started.
2022/04/21 09:25:33 wazuh-modulesd:database: INFO: Module started.
2022/04/21 09:25:33 wazuh-modulesd:download: INFO: Module started.
2022/04/21 09:25:33 wazuh-modulesd:syscollector: INFO: Module started.
2022/04/21 09:25:33 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/04/21 09:25:33 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/04/21 09:25:33 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/04/21 09:25:53 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_debian10.yml'
2022/04/21 09:25:53 sca: INFO: Security Configuration Assessment scan finished. Duration: 20 seconds.
2022/04/21 09:26:15 rootcheck: INFO: Ending rootcheck scan.
root@siem:/var/ossec/logs#
this is integration log errors.
root@siem:/var/ossec/logs# more integrations.log
2022-04-21 09:25:36,789 - __main__ - ERROR - EGOR
Traceback (most recent call last):
File "/var/ossec/integrations/custom-w2thive.py", line 162, in <module>
main(sys.argv)
File "/var/ossec/integrations/custom-w2thive.py", line 74, in main
send_alert(alert, thive_api)
File "/var/ossec/integrations/custom-w2thive.py", line 151, in send_alert
logger.info('Create TheHive alert: '+ str(response.json()['id']))
KeyError: 'id'
2022-04-21 09:25:45,805 - __main__ - ERROR - EGOR
Traceback (most recent call last):
File "/var/ossec/integrations/custom-w2thive.py", line 162, in <module>
main(sys.argv)
File "/var/ossec/integrations/custom-w2thive.py", line 74, in main
send_alert(alert, thive_api)
File "/var/ossec/integrations/custom-w2thive.py", line 151, in send_alert
logger.info('Create TheHive alert: '+ str(response.json()['id']))
KeyError: 'id'
2022-04-21 09:31:35,178 - __main__ - ERROR - EGOR
Traceback (most recent call last):
File "/var/ossec/integrations/custom-w2thive.py", line 162, in <module>
main(sys.argv)
File "/var/ossec/integrations/custom-w2thive.py", line 74, in main
send_alert(alert, thive_api)
File "/var/ossec/integrations/custom-w2thive.py", line 151, in send_alert
logger.info('Create TheHive alert: '+ str(response.json()['id']))
KeyError: 'id'
root@siem:/var/ossec/logs#
2022-04-21 09:25:36,789 - __main__ - ERROR - EGOR
Traceback (most recent call last):
File "/var/ossec/integrations/custom-w2thive.py", line 162, in <module>
main(sys.argv)
File "/var/ossec/integrations/custom-w2thive.py", line 74, in main
send_alert(alert, thive_api)
File "/var/ossec/integrations/custom-w2thive.py", line 151, in send_alert
logger.info('Create TheHive alert: '+ str(response.json()['id']))
KeyError: 'id'
2022-04-21 09:25:45,805 - __main__ - ERROR - EGOR
Traceback (most recent call last):
File "/var/ossec/integrations/custom-w2thive.py", line 162, in <module>
main(sys.argv)
File "/var/ossec/integrations/custom-w2thive.py", line 74, in main
send_alert(alert, thive_api)
File "/var/ossec/integrations/custom-w2thive.py", line 151, in send_alert
logger.info('Create TheHive alert: '+ str(response.json()['id']))
KeyError: 'id'
2022-04-21 09:31:35,178 - __main__ - ERROR - EGOR
Traceback (most recent call last):
File "/var/ossec/integrations/custom-w2thive.py", line 162, in <module>
main(sys.argv)
File "/var/ossec/integrations/custom-w2thive.py", line 74, in main
send_alert(alert, thive_api)
File "/var/ossec/integrations/custom-w2thive.py", line 151, in send_alert
logger.info('Create TheHive alert: '+ str(response.json()['id']))
KeyError: 'id'
root@siem:/var/ossec/logs#
obaid.s...@gmail.com
Apr 26, 2022, 3:53:56 AM4/26/22
to Wazuh mailing list
Issue is fixed after reinstallation and reconfiguration.
John Adewale Olatunde
May 2, 2022, 2:46:32 AM5/2/22
to Wazuh mailing list
Thanks for the feedback!!!
Reply all
Reply to author
Forward
0 new messages