export ip

136 views
Skip to first unread message

m

unread,
Jun 28, 2022, 8:46:51 AM6/28/22
to Wazuh mailing list
Hi
how can I create a file containing a list of IPs that are subject of a specific event? I would like the ip corresponding to the failed logins coming from the firewall agent to be inserted into a file.

thanks

Julio Gasco

unread,
Jun 28, 2022, 10:12:43 AM6/28/22
to Wazuh mailing list
Hi Matteo,
Thanks for using our community!
What you can do to achieve this is create a search from the discover section of Kibana and export the CSV, where you will then be able to see all the IPs.

To do so follow these steps
1- On Kibana go to Discover
comu1.JPG
2- On the Discover page, press Add filter and create the filter: Field = rule.id Operator=is and Value=Rule you want to filter in this example 23504
comu2.JPG
3- After getting the result at the top right of the screen you can modify the time you want to cover, then press Save to save the query.
comu3.JPG
4- Once Query is saved on the top right click Reporting and Generate CSV
comu4.JPG
This will download automatically the CSV Report when you open it on Excel you will be able to see the IP column and filter by it as seen below, You can then remove all unnecessary columns or copy and use this information.

comu5.JPG
Let me know if this covers your question

Regards!!

Matteo

unread,
Jun 29, 2022, 4:14:54 AM6/29/22
to Wazuh mailing list
Hi Julio
thanks for your reply
I would like to automate this task, as a kind of wazuh autoresponder (see for example that of pfsense)

Julio Gasco

unread,
Jul 1, 2022, 10:00:41 AM7/1/22
to Wazuh mailing list
Hi Matteo,
You can automate the report creation following the next steps:

When you have the query search as explained on my previous message, on Discovery click Reporting -> Create Report Definition
commev1.JPG

On The report setting set a name, and in report source, check Saved search and below select the saved query you created.
commev2.JPG

Below you will see the report trigger option, On trigger type select Schedule and on Request time select Recurring, below you will be able to set the frequency and time of creation
commev3.JPG
Once created the report will run and be available on the reporting Menu
commev4.JPG

Let me know if this was what you required,

Regards!

Matteo

unread,
Jul 4, 2022, 2:11:49 AM7/4/22
to Wazuh mailing list
Hi Julio
thanks for your reply.
where is the exported file saved? I would like to take it and move it to a folder that I will make accessible from the firewall to feed the ip blocking rules

Thanks

Julio Gasco

unread,
Jul 4, 2022, 4:36:01 PM7/4/22
to Wazuh mailing list
Hi Matteo,
The exports will be created and ready to be downloaded from the Reporting section as seen below

commev4.JPG

The reports are saved at a index level so they are not created in the server until you download them. 
So you would need to get into Reporting section and download them in order to be available. They are then saved at your browser´s pre-defined download location.

Regarding your question on only filtering some fields of the CSV, it is not possible at this moment, Kibana let´s you use "Selected fields" For the saved query, but it´s only intended for Visualization purposes, when you export that information all the fields will be showing anyway as it’s not affected by the “Selected fields” option.


Regards!

Matteo

unread,
Jul 11, 2022, 2:40:40 AM7/11/22
to Wazuh mailing list
Thanks a lot
Reply all
Reply to author
Forward
0 new messages