FW: Data not reflected on Kibana App- Security Events, Integrity Monitoring , Policy Monitoring and Wazuh alerts.

[Prachi Katakwar]

Please can someone help on the below.

 

From: Prachi Katakwar
Sent: den 23 april 2020 17:40
To: wazuh+s...@googlegroups.com
Cc: Per-Erik Granbom <per-erik...@ericsson.com>; Göran Fredriksson <goran.fr...@ericsson.com>
Subject: Data not reflected on Kibana App- Security Events, Integrity Monitoring , Policy Monitoring and Wazuh alerts.

 

Hi Team,

 

Just 2 weeks back , I have installed wazuh infrastructure 3.12.2 version on a single server( CentOS 8 server) and installed agents in 2 windows machine( both are windows 2016 server).The communication between agent and Wazuh is ok:

Versions of components :

• wazuh - 3.12.2
• es_version - 7.6.2
• logstash version - 7.6.2
• Kibana - 7.6.2

 

It seems to be like a half cooked environment, on some tabs data is displayed while on some can’t see anything.

I am not sure if I need to put some filters for the data to be displayed or something is missing!!

Cant see any error logs on elasticsearch, logstash or kibana.

 

Also , I could see alerts present in alert.json file, but when I enter to discover --> wazuh-alerts-3.x-*, I can’t see anything.

 

Although on clicking at wazuh Monitoring , could see a graph:

But no alerts for the agents are visible on dashboard for Security Events, Integrity Monitoring

Integrity Monitoring

Please could  you help, have been struggling from last 3 days for the data.

 

Regards,

Prachi Katakwar

 

[Jesus Linares]

Hi,

Please, perform the following checks:

1. You have alerts for the current day in /var/ossec/logs/alerts/alerts.json.
2. There are no errors in Filebeat / Logstash logs.
3. There are no errors in Elasticsearch logs.
4. There are indices for today alerts: GET /_cat/indices (https://www.elastic.co/guide/en/elasticsearch/reference/current/cat-indices.html)
5. Review the kibana date in kibana settings. Sometimes is configured in a different time zone.

Let us know the result.

Thanks.

[Prachi Katakwar]

Hi Jesus,

 

Thank you so much for responding, I am honestly new to linux machines.

 

Attached the logs

Also for point 4-

 

Please help!!Not sure what is wrong.

Also I haven’t installed filebeat.

 

Regards,
Prachi Katakwar

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c927f09d-70cd-4b06-ab5d-7f7ead10af03%40googlegroups.com.

[Jesus Linares]

Hi, 

It looks like an issue in your Logstash / Elastic configuration.

Share the output of:

• curl 'localhost:9200/_cat/indices?v&s=index'
• curl 'localhost:9200/_cat/templates?v'

Could you share the version of your Logstash and Elasticseach? Also, what is the content of /etc/logstash/conf.d/01-wazuh.conf?

I understand that you have everything (Wazuh, Logstash, Elastic) in the same server right?

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Prachi Katakwar]

Hi Jesus,

 

Sorry for the late reply, please find the below outputs requested:

 

• curl 'localhost:9200/_cat/indices?v&s=index'

 

 

• curl 'localhost:9200/_cat/templates?v'

 

 

Version of Logstatsh : 7.6.2

Elasticsearch version: 7.6

content of /etc/logstash/conf.d/01-wazuh.conf :

 

 

I understand that you have everything (Wazuh, Logstash, Elastic) in the same server right?

yes Wazuh ,Logstash , Elastic and kibana all in same server.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c927f09d-70cd-4b06-ab5d-7f7ead10af03%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e5bb8acf-9e70-4967-ae56-520dc4b08dd4%40googlegroups.com.

[Prachi Katakwar]

Hi Jesus,

 

I have also attached the ouputs of commands as I thought they are not so much visible in below email.

 

Please guide me.

 

Regards,

Prachi Katakwar

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/DB8PR07MB64734A756F850D81DE05843796AE0%40DB8PR07MB6473.eurprd07.prod.outlook.com.

[Jesus Linares]

Hi,

Elasticsearch has the Wazuh template, but it doesn't have any index called "wazuh-alerts-*". Also, there is an index called "logstash-*". So, it seems Logstash is not doing its work properly.

Taking a look at the Logstash configuration file (/etc/logstash/conf.d/01-wazuh.conf):

• The input is the port 5000. That is wrong since you have everything locally. You must use the file input.
• The output has the index commented.

You should use this configuration:

input {
   file {
       type => "wazuh-alerts"
       path => "/var/ossec/logs/alerts/alerts.json"
       codec => "json"
   }
}

    filter {

        date {

            match => ["timestamp", "ISO8601"]

            target => "@timestamp"

        }

        mutate {

            remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host" ]

        }

    }

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
    }
}

Apply this change and restart Logstash.

By default, we don't use Logstash, just Filebeat. You can consider installing the OVA and review how is everything configured: https://documentation.wazuh.com/3.12/installation-guide/virtual-machine.html.

Regards.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c927f09d-70cd-4b06-ab5d-7f7ead10af03%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e5bb8acf-9e70-4967-ae56-520dc4b08dd4%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Prachi Katakwar]

Hi Jesus,

 

Thank you , yes its working now.

 

I have few more questions, just did the email configuration, and I am able to see the email from Wazuh on my email box.

 

Now I have set the log alert level 5, my environment is not in production ..its a small one with 30- 40 servers maximum.

Just need the basic functionalities like :

 

If some user downloading the application , need an email alert

Or if someone from any geography trying to login the server, need an email alert.

How to set them?

 

And if I keep everything default, by just setting the alert level 5, no changes nothing, will I get any email notifications?

 

Best Regards,

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c927f09d-70cd-4b06-ab5d-7f7ead10af03%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e5bb8acf-9e70-4967-ae56-520dc4b08dd4%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/DB8PR07MB64734A756F850D81DE05843796AE0%40DB8PR07MB6473.eurprd07.prod.outlook.com.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b8d7f2b6-b2b7-41e5-ab44-37b9064e614f%40googlegroups.com.

[Jesus Linares]

Hi,

I'm glad that it is working. You should review the installation documentation and/or the official MV to be sure that your configuration is the standard one.

Please, open a new thread to discuss your question regarding email and levels. It keeps this group more useful for the community.

Thanks.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c927f09d-70cd-4b06-ab5d-7f7ead10af03%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e5bb8acf-9e70-4967-ae56-520dc4b08dd4%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/DB8PR07MB64734A756F850D81DE05843796AE0%40DB8PR07MB6473.eurprd07.prod.outlook.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Prachi Katakwar]

Thank you Jesus so much..surely will do so..

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c927f09d-70cd-4b06-ab5d-7f7ead10af03%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e5bb8acf-9e70-4967-ae56-520dc4b08dd4%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/DB8PR07MB64734A756F850D81DE05843796AE0%40DB8PR07MB6473.eurprd07.prod.outlook.com.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b8d7f2b6-b2b7-41e5-ab44-37b9064e614f%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/660df8ec-6bd6-4fc3-a320-eb1d8b05c49a%40googlegroups.com.