Trying to ingest Snort json logs into Wazuh
Jason Talbot
Hi
I have installed Snort and logs are going to json file format in the following location /var/log/snort/alert_json.txt
I want to ingest these log files into Wazuh but I can’t seem to get it to work.
I have edited the ossec.conf on my agent at /var/ossec/etc/ossec.conf and added the following entries at the end of the file.
I have been trying one by one but none of the combinations below appear to work and each time I make a change I have been restarting the agent with the following command systemctl restart wazuh-agent
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/snort</location>
</localfile>
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/snort/*</location>
</localfile>
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/snort/alert_json.txt</location>
</localfile>
<localfile>
<log_format>json</log_format>
<location>/var/log/snort/alert_json.txt</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/snort</location>
</localfile>
Federico Pacher
This is a simple ossec.conf modification. And as pointed in the documentation you will be able to see all logs in either archives.log or archives.json.
If you are using Kibana I would advice enabling archives to enabled in /etc/filebeat/filebeat.yml archives (do not forget to restart filebeat):
And then do these steps in Kibana
- Go to kibana -> index management -> indices and verify wazuh-archives-x.x-xxxx.xx.xx is present
- Go to kibana -> stack management -> index pattern and select Create index pattern. Use wazuh-archives-* as index pattern name
- Go to kibana -> discover and verify archives events are being reported