Log consolidation via Wazuh
235 views
Skip to first unread message
Alexander Hartner
Jul 25, 2023, 11:12:18 PM7/25/23
to Wazuh mailing list
hi all. just need some guidance regarding rsyslog consolidation. we followed the steps outline https://www.reddit.com/r/Wazuh/comments/o7jwq9/forwading_syslogs_to_wazuh/ to direct rsyslog message into wazuh, in the hope of being able to view the consolidated log messages from all out systems.
I kind of expected a separate index to be used for this. However so far I have not found any of our log messages (generated using : logger TroubleshootingTest) in any of the indeces. Maybe this is not what wazuh offers.
I guess my question is if wazuh can be used to consolidate logs from multiple systems in addition and where I can view these messages.
Any pointers are truely appreciated.
Kind regards
Alex
Stuti Gupta
Jul 26, 2023, 4:39:55 AM7/26/23
to Wazuh mailing list
Hi Alexander,
Hope you are doing well today and thank you for using wazuh.
Yes , wazuh can be used to consolidate logs from multiple systems for this you can modify the destination index by tweaking the filebeat pipeline. Below is the example of creating a separate index pattern for syslog you can follow the same for rsyslog. Before following the steps make sure rsyslog alerts in /var/ossec/logs/alerts/alerts.log.
Step1: add the following configuration in pipleline.json
vim /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json
{
"date_index_name": {
"if" : "if (ctx.rule.groups.contains('syslog')){return true;}",
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "syslog-",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": false
}
},
{
"date_index_name": {
"if" : "if (ctx.rule.groups.contains('syslog')){return false;}",
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "{{fields.index_prefix}}",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": false
}
},
Step2: After this, added the index name "sysloh-" in /etc/filebeat/wazuh-template.json
{
"order": 0,
"index_patterns": [
"wazuh-alerts-4.x-*",
"wazuh-archives-4.x-*",
"syslog-"
]
Step4: Restart the wazuh-components using commands:
systemctl restart filebeat
systemctl restart wazuh-manager
systemctl restart wazuh-indexer
Step5: Create an Index pattern like below:
After that, the configuration is complete. You can see the data navigating to the Discover section in the left panel and selecting the recently created index pattern
To know more about rsyslog configuration you can refer to https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
Hope this will be helpful. Please feel free to contact us for any information/issues.
Best Regards,
Stuti Gupta
Hope you are doing well today and thank you for using wazuh.
Yes , wazuh can be used to consolidate logs from multiple systems for this you can modify the destination index by tweaking the filebeat pipeline. Below is the example of creating a separate index pattern for syslog you can follow the same for rsyslog. Before following the steps make sure rsyslog alerts in /var/ossec/logs/alerts/alerts.log.
Step1: add the following configuration in pipleline.json
vim /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json
{
"date_index_name": {
"if" : "if (ctx.rule.groups.contains('syslog')){return true;}",
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "syslog-",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": false
}
},
{
"date_index_name": {
"if" : "if (ctx.rule.groups.contains('syslog')){return false;}",
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "{{fields.index_prefix}}",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": false
}
},
Step2: After this, added the index name "sysloh-" in /etc/filebeat/wazuh-template.json
{
"order": 0,
"index_patterns": [
"wazuh-alerts-4.x-*",
"wazuh-archives-4.x-*",
"syslog-"
]
Basically, this will instruct filebeat to look for the "
rule.groups.contains " field and if it finds the word "
syslog" within it,
it will index the data to an index named " syslog-".
Step3: After modifying your filebeat pipeline you will want to apply the changes:
Step3: After modifying your filebeat pipeline you will want to apply the changes:
filebeat setup --pipelines --modules wazuh
Step4: Restart the wazuh-components using commands:
systemctl restart filebeat
systemctl restart wazuh-manager
systemctl restart wazuh-indexer
Step5: Create an Index pattern like below:
- In the dashboard, open the left bar and navigate to Stack management.
- Inside that section, select Index patterns and click on Create index pattern
- For the Index pattern name, use wazuh-archives*, click in Next step and for the timestamp field choose timestamp (make sure to choose timestamp and not @timestamp)
- Click on Create Index Pattern
After that, the configuration is complete. You can see the data navigating to the Discover section in the left panel and selecting the recently created index pattern
To know more about rsyslog configuration you can refer to https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
Hope this will be helpful. Please feel free to contact us for any information/issues.
Best Regards,
Stuti Gupta
Stuti Gupta
Aug 4, 2023, 1:01:15 AM8/4/23
to Wazuh mailing list
Hi
Alexander
Hope you are well today!
I just wanted to follow up on this thread. Did my answer help you to solve the issue?
If you have any further questions or require additional assistance related to this thread, please don't hesitate to contact us.
Hope you are well today!
I just wanted to follow up on this thread. Did my answer help you to solve the issue?
If you have any further questions or require additional assistance related to this thread, please don't hesitate to contact us.
Alexander H.
Aug 10, 2023, 4:09:04 AM8/10/23
to Wazuh mailing list
Hi Stuti,
Thanks for getting back to me. We are looking at deploying Wazuh using the docker image, so I am working on implementing your suggestions in a docker environment. We are also looking at enabled LDAP authentication. If you have any pointers on enabling this in the context of a docker-compose file please let me know.
Kind regards
Alex
Stuti Gupta
Aug 25, 2023, 4:41:06 AM8/25/23
to Wazuh | Mailing List
Hi Alexander H.
Hope you are doing well and
You can install Wazuh using the Docker images we have created, such as wazuh/wazuh-manager, wazuh/wazuh-indexer and wazuh/wazuh-dashboard. You can find all the Wazuh Docker images in the Docker hub. To know more please refer to https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html
This is another issue so, to assist you further on this issue please open another thread at https://wazuh.com/community/.
Regards,
Hope you are doing well and
You can install Wazuh using the Docker images we have created, such as wazuh/wazuh-manager, wazuh/wazuh-indexer and wazuh/wazuh-dashboard. You can find all the Wazuh Docker images in the Docker hub. To know more please refer to https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html
This is another issue so, to assist you further on this issue please open another thread at https://wazuh.com/community/.
Regards,
Reply all
Reply to author
Forward
0 new messages