Wazhu cloud services

[Idan Abramovich]

Hello , 

I'm trying to connect our GCP environment. it says that I need to access ossec.conf

How can I access when Wazhu is deployed as SaSS ?

In the documentation it's mentioned only the local conf file.

Thank you 

[Pablo Ariel Gonzalez]

Hi Idan, if you are using the Wazuh cloud service, you can ask support to help you make this configuration.

You can do this from the Wazuh cloud console itself. 

In any case, if you confirm directly to my email which is the email registered in Wazuh Cloud, I can request that the support contact you.


Any other questions or queries you have, do not hesitate to contact us.


Thanks,

[Alexander Bohorquez]

Hi Idan,

Thank you for using Wazuh!

Wazuh helps to increase the security of a GCP infrastructure by collecting and analyzing log data. The Wazuh GCP module is able to retrieve logs from Google Cloud Pub/Sub and from Google Cloud Storage buckets. Here you can find information about it:

https://documentation.wazuh.com/current/gcp/index.html

Here you can find the list of needed prerequisites in order to perform the integration:

https://documentation.wazuh.com/current/gcp/prerequisites/index.html

After you complete the prerequisites it is necessary to load the configuration to your ossec.conf. For it, in your cloud instance you could use the Wazuh APP UI under the Wazuh Menu > Management > Configuration:

There you will have access to your ossec.conf file located on your Wazuh manager. 

After loading the required changes and saving it. Remember to restart the service to load the changes.

I hope this information helps. Please let us know if you have any questions.

Regards.

[Idan Abramovich]

Thank you Alexander ! 

How do I edit the configuration of the credentials_file ?

Error: Could not update configuration in specified node (1908) - Error validating configuration: (1202): Configuration error at 'etc/ossec.conf'. at Function.returnErrorInstance (https://u8yx9dpzwx2k.cloud.wazuh.com/9007199254740991/bundles/plugin/wazuh/wazuh.plugin.js:1:117968) at Function._callee2$ (https://u8yx9dpzwx2k.cloud.wazuh.com/9007199254740991/bundles/plugin/wazuh/wazuh.plugin.js:1:116188) at tryCatch (https://u8yx9dpzwx2k.cloud.wazuh.com/9007199254740991/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1:341529) at Generator.invoke [as _invoke] (https://u8yx9dpzwx2k.cloud.wazuh.com/9007199254740991/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1:345493) at forEach.prototype.<computed> [as next] (https://u8yx9dpzwx2k.cloud.wazuh.com/9007199254740991/bundles/plugin/reportsDashboards/reportsDashboards.plugin.js:1:342654) at asyncGeneratorStep (https://u8yx9dpzwx2k.cloud.wazuh.com/9007199254740991/bundles/plugin/wazuh/wazuh.plugin.js:1:109980) at _next (https://u8yx9dpzwx2k.cloud.wazuh.com/9007199254740991/bundles/plugin/wazuh/wazuh.plugin.js:1:110291)

This is what I get when trying to edit the ossec.conf file .

added these lines to the end of the file

<ossec_config>

<gcp-pubsub>
     <pull_on_start>yes</pull_on_start>
     <interval>1m</interval>
     <project_id>wazuh-dev (Changed it )  </project_id>
     <subscription_name>wazuh-subscription</subscription_name>

     <credentials_file>/var/ossec/wodles/gcloud/credentials.json</credentials_file>
 </gcp-pubsub>

 <gcp-bucket>
     <run_on_start>yes</run_on_start>
     <interval>1m</interval>
     <project_id>wazuh-dev-(Changed it ) </project_id>
     <subscription_name>wazuh-subscription</subscription_name>

     <credentials_file>/var/ossec/wodles/gcloud/credentials.json</credentials_file>
 </gcp-bucket>

</ossec_config> 

Thank you again

[Pablo Ariel Gonzalez]

Hi Idan:

Thanks for the detail of the error. As Alexander says, there are configurations that you can manage yourself from the environment web by modifying the ossec.conf file. Unfortunately in this case you need some pip dependencies and as you have indicated a credentials file, tasks to which you will not have access.

They will contact you to solve this problem and finish the configuration.



Thanks,