event absent in indicies
74 views
Skip to first unread message
Дмитрий Иванов
Jan 24, 2022, 2:11:22 AM1/24/22
to wa...@googlegroups.com
Hi there
Wazuh 4.2.5 (cluster in docker containers)
I had setup integrations to slack and have got 3 alerts level 11 and 12 as expected by my config
But in kibana dashboard i have only one from them
I'v got in alerts.log
```
{"timestamp":"2022-01-22T13:12:20.834+0000","rule":{"level":11,"description":"Possible kernel level rootkit","id":"521","mitre":{"id":["T1014"],"tactic":["Defense Evasion"],"technique":["Rootkit"]},"firedtimes":1,"mail":true,"groups":["ossec","rootcheck"]},"agent":{"id":"002","name":"HostName","ip":"HostIP"},"manager":{"name":"wazuh-master"},"id":"1642857140.33221407","cluster":{"name":"wazuh","node":"worker01"},"full_log":"Process '29608' hidden from /proc. Possible kernel level rootkit.","decoder":{"name":"rootcheck"},"data":{"title":"Process '29608' hidden from /proc."},"location":"rootcheck"}
{"timestamp":"2022-01-21T15:03:55.081+0000","rule":{"level":12,"description":"System running out of memory. Availability of the system is in risk.","id":"5108","mitre":{"id":["T1499"],"tactic":["Impact"],"technique":["Endpoint Denial of Service"]},"firedtimes":1,"mail":true,"groups":["syslog","linuxkernel","service_availability"],"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"002","name":"HostName","ip":"HostIP"},"manager":{"name":"wazuh-master"},"id":"1642777435.45754750","cluster":{"name":"wazuh","node":"worker01"},"full_log":"Jan 21 00:00:02 HostName kernel: [0000:0000] Out of Memory: alarm generator, do not pay attention","predecoder":{"program_name":"kernel","timestamp":"Jan 21 00:00:02","hostname":"HostName"},"decoder":{"name":"kernel"},"location":"/var/log/syslog"}
```
And the first one, which exists on dashboard (on screenshot), is absent in alerts.log
It's not clear to me, what are the differences between them
Wazuh 4.2.5 (cluster in docker containers)
I had setup integrations to slack and have got 3 alerts level 11 and 12 as expected by my config
But in kibana dashboard i have only one from them
I'v got in alerts.log
```
{"timestamp":"2022-01-22T13:12:20.834+0000","rule":{"level":11,"description":"Possible kernel level rootkit","id":"521","mitre":{"id":["T1014"],"tactic":["Defense Evasion"],"technique":["Rootkit"]},"firedtimes":1,"mail":true,"groups":["ossec","rootcheck"]},"agent":{"id":"002","name":"HostName","ip":"HostIP"},"manager":{"name":"wazuh-master"},"id":"1642857140.33221407","cluster":{"name":"wazuh","node":"worker01"},"full_log":"Process '29608' hidden from /proc. Possible kernel level rootkit.","decoder":{"name":"rootcheck"},"data":{"title":"Process '29608' hidden from /proc."},"location":"rootcheck"}
{"timestamp":"2022-01-21T15:03:55.081+0000","rule":{"level":12,"description":"System running out of memory. Availability of the system is in risk.","id":"5108","mitre":{"id":["T1499"],"tactic":["Impact"],"technique":["Endpoint Denial of Service"]},"firedtimes":1,"mail":true,"groups":["syslog","linuxkernel","service_availability"],"pci_dss":["10.6.1"],"gpg13":["4.12"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"tsc":["CC7.2","CC7.3"]},"agent":{"id":"002","name":"HostName","ip":"HostIP"},"manager":{"name":"wazuh-master"},"id":"1642777435.45754750","cluster":{"name":"wazuh","node":"worker01"},"full_log":"Jan 21 00:00:02 HostName kernel: [0000:0000] Out of Memory: alarm generator, do not pay attention","predecoder":{"program_name":"kernel","timestamp":"Jan 21 00:00:02","hostname":"HostName"},"decoder":{"name":"kernel"},"location":"/var/log/syslog"}
```
And the first one, which exists on dashboard (on screenshot), is absent in alerts.log
It's not clear to me, what are the differences between them
Дмитрий Иванов
Jan 24, 2022, 2:35:46 AM1/24/22
to Wazuh mailing list
Sorry
The first alrm also exists in alerts log
```
{"timestamp":"2022-01-21T12:52:01.259+0000","rule":{"level":11,"description":"Possible kernel level rootkit","id":"521","mitre":{"id":["T1014"],"tactic":["Defense Evasion"],"technique":["Rootkit"]},"firedtimes":1,"mail":true,"groups":["ossec","rootcheck"]},"agent":{"id":"002","name":"HostName","ip":"HostIP"},"manager":{"name":"wazuh-master"},"id":"1642769521.36319644","cluster":{"name":"wazuh","node":"worker01"},"full_log":"Process '32739' hidden from /proc. Possible kernel level rootkit.","decoder":{"name":"rootcheck"},"data":{"title":"Process '32739' hidden from /proc."},"location":"rootcheck"}
```
And in indicies presents only this one
The first alrm also exists in alerts log
```
{"timestamp":"2022-01-21T12:52:01.259+0000","rule":{"level":11,"description":"Possible kernel level rootkit","id":"521","mitre":{"id":["T1014"],"tactic":["Defense Evasion"],"technique":["Rootkit"]},"firedtimes":1,"mail":true,"groups":["ossec","rootcheck"]},"agent":{"id":"002","name":"HostName","ip":"HostIP"},"manager":{"name":"wazuh-master"},"id":"1642769521.36319644","cluster":{"name":"wazuh","node":"worker01"},"full_log":"Process '32739' hidden from /proc. Possible kernel level rootkit.","decoder":{"name":"rootcheck"},"data":{"title":"Process '32739' hidden from /proc."},"location":"rootcheck"}
```
And in indicies presents only this one
понедельник, 24 января 2022 г. в 10:11:22 UTC+3, Дмитрий Иванов:
Message has been deleted
Juan Carlos Tello
Jan 24, 2022, 6:12:04 AM1/24/22
to Wazuh mailing list
Hello Dmitry,
The events you provided are valid and should not have any issues being indexed into a healthy Elasticsearch installation.
They may not be appearing in your search because of an issue with Elasticsearch (such as having run out of disk space) or because the search had not updated from a previous more restrictive search.
I've tested the events you provided in a local environment and verified that they present no conflict for being indexed as seen here:
Please let us know if you see more recent log events, especially when removing the agent filter.
Best Regards,
Juan Carlos Tello
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/eacb5f59-e77c-44e6-8aa3-2b5efd30db87n%40googlegroups.com.
Message has been deleted
Дмитрий Иванов
Jan 25, 2022, 5:09:12 AM1/25/22
to Juan Carlos Tello, Wazuh mailing list
Hello
Juan Carlos
Thanks a lot!
Key words are " healthy Elasticsearch".
As I found, after some changes in index policies settings, the indexes for 2022-01-22 2022-01-23 were not existing at all
Thanks a lot!
Key words are " healthy Elasticsearch".
As I found, after some changes in index policies settings, the indexes for 2022-01-22 2022-01-23 were not existing at all
пн, 24 янв. 2022 г. в 14:12, Juan Carlos Tello <juancarl...@wazuh.com>:
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CA%2BiDGk4xdjn%3Dx_vEEZYk1gjD0rCe_63BzS2_yO2mAovkronfdQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages