Winbeat, Wazuh and Sysmon logging

[A B]

Hello Wazuh Community,

Just wanted to confirm that if I have Wazuh agent installed then do still need separate separate Winbeat & Sysmon client installed in machine?

Sorry, for nooby question but I have seen companies using all these 3 separately and sending these logs separately, however I know that we can collect the Sysmon(agent installation would still be required) & Winevent via Wazuh. 

So, can there be any specific reason if an enterprise decides to run all of them.

Regards

Ash 

[Alberto Rodriguez]

Hello 

  With the Wazuh agent, you will not need Winbeat. Winbeat is a "forwarder", it collects logs from different sources and Wazuh agent has this capability and much more like File Integrity Monitoring, Security configuration assessment... please take a look at https://documentation.wazuh.com/current/getting-started/components/wazuh_agent.html

If you want to forward the Windows events you can see in the Windows event viewer, the Wazuh agent is enough. If you want to centralize your Sysmon logs with your Sysmon custom configuration you will need to install Sysmon separately. You can check this blog post: https://wazuh.com/blog/how-to-collect-windows-events-with-wazuh/ which is the updated version of one I wrote some time ago (https://wazuh.com/blog/using-wazuh-to-monitor-sysmon-events/). 

So, the Windows event collection (OS default) maybe it is not flexible enough, defining Sysmon rules maybe help you with some events visibility, so I understand Sysmon as a good complement of Wazuh agent in some cases. The Winlogbeat use with a Wazuh agent doesn't make sense to me because the Wazuh agent covers all the Winlogbeat capabilities and offers a lot more. 

Please let me know if you have any doubt. 

Regards, 

Alberto R