Suricata eve.json
465 views
Skip to first unread message
Jorge Adalberto Salcedo Torres
Aug 1, 2018, 5:23:59 PM8/1/18
to Wazuh mailing list
Hi,
Can someone help me?
I have Suricata installed in the server where I have wazuh-agent, but I don't know what should I do to receive the json logs in order to be displayed in my Kibana.
tail -f /var/log/suricata/eve.json ---- working well, I mean the logs are there
The agent configuration is
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
Do I need to do something else in the manager side?
Regards,
Jose Luis Ruiz
Aug 1, 2018, 6:17:14 PM8/1/18
to Jorge Adalberto Salcedo Torres, Wazuh mailing list
Hi Jorge,
You need to create a rule to trigger the alerts from this json.
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
label key="@source">suricata</label>
</localfile>
Then you need to add a rule like this for example in your /var/ossec/etc/rules/local_rules.xml:
<group name="curator">
<rule id="100004" level="3">
<decoded_as>json</decoded_as>
<field name="@source">suricata</field>
<description>Curator logs</description>
</rule>
</group>
Hi Jorge,
You need to create a rule to trigger the alerts from this json.
--
Jose Luis Ruiz
Jose Luis Ruiz
@jlruizmlg
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7449833c-84af-42d3-a05c-ea4176891450%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Miguelangel Jose Freitas Loreto
Aug 1, 2018, 9:06:01 PM8/1/18
to jlru...@gmail.com, jast...@gmail.com, wa...@googlegroups.com
Hi,
In addition to what Jose said, please take into consideration the OwlH project. OwlH has an integration between Suricata and Wazuh, for more info please take a look at the following links:
I hope this helps.
Best Regards,
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/etPan.5b623163.6fedef2a.4a5%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
Miguelangel Freitas
Louis Bernardo
Aug 2, 2018, 3:37:05 AM8/2/18
to Wazuh mailing list
@Jorge, I can confirm that the owlh integration works as I am using it myself.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7449833c-84af-42d3-a05c-ea4176891450%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/etPan.5b623163.6fedef2a.4a5%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
--Miguelangel Freitas
Reply all
Reply to author
Forward
0 new messages