Wazuh Manager - New Install - Configure app

[Uzair Ally]

Hi,

I'm just getting started with a new install of Wazuh. All the components are on a single node and I have one Windows agent sending data to the manager. 

I'm not seeing any data on the Wazuh manager even though the agent is configured and showing as active. 

The Wazuh menu on the manager shows "Wazuh API Configuration". How do I set the username and password to connect the Wazuh API to connect the Kibana plugin?

Should I be able to see logs under the Logs tab on the Wazuh manager? The message displayed is "Looks like you don't have any logging indices. Let's add some! 

It is a fresh install and I did not complete all the configuration steps on the user manual. Is it advisable to go through each item on the user manual and configure the Wazuh server accordingly?

Kind regards,

Mohammed Ally

[Adri Valle]

Hi Uzair,

The first is to check if the agent is sending alerts. It seems that is active then please ensure that the /var/ossec/logs/alerts/alerts.json file has any alert. The alert.json is read by filebeat in order to feed elasticseach and store the alerts in an index.

The Wazuh menu on the manager shows “Wazuh API Configuration”. How do I set the username and password to connect the Wazuh API to connect the Kibana plugin?

To connect the Wazuh app to the API please go to Settings > API and fill the form to add a new API, by default the user and password are foo and bar and the port used is the 55000, the host IP assuming that you didn’t ensure the API connection in your case should be http://localhost.

Once you’ve added an API you can navigate through the app.

Should I be able to see logs under the Logs tab on the Wazuh manager? The message displayed is “Looks like you don’t have any logging indices. Let’s add some!

This message is displayed from the Kibana App logs instead of the Wazuh app logs if you want to see the logs once you’ve configured the API in the app you need to go to Management > Logs:

It is a fresh install and I did not complete all the configuration steps on the user manual. Is it advisable to go through each item on the user manual and configure the Wazuh server accordingly?

Not always, for example, if you forget to configure an API the Wazuh app will advise you to add a new API in order to enable the navigation in the app, but if you didn’t create the Wazuh index you won’t can receive alerts but the app won’t advise you either of this problem.

I hope it helps if you have more doubts please don’t hesitate to ask again.

Regards,

Adri,

[Uzair Ally]

Hi Adri,

Thanks for responding to my post!

Your advice was helpful, though I manage to figure out these steps over the weekend while waiting for a response to my post - Haha.

Yes the agent is sending alerts, which is great!

I configured the API and can now navigate through the Wazuh app. Also, logs are now visible after I configured the API. 

My next step is to configure a custom index pattern. I did not think this was necessary at first as I see two default index patterns "wazuh-monitoring-3.x-*" and wazuh-alerts-3.x-*.

As a test on my windows agent, I launched powershell expecting to see a log for this event under the discover tab in the Wazuh app. The event is visible but I am missing essential information like process name; process id; hash etc. I can only assume the information is not being displayed due to me not configuring a custom index pattern, am I correct? 

Kind regards,

Uzair

[Adri Valle]

Hi Uzair,

I guess that you want to get information like processes running, packages installed, etc in the agent. This information is not present in the alerts so the problem is not the index pattern.

We have a module called syscollector wich get this information from the agent in order to have an inventory with this data.

With this module, you can get information about hardware, OS, packages, network ports, and processes. You can see more information about this module here Syscollector.

The previous image shows the information related to a Windows agent, to see this information you only need to go to Agents > {agent} > Inventory data.

I hope it helps if I misunderstood you don’t hesitate to ask again.

Regards,

Adri,