Suricata logs are not visible on dashboard

750 views
Skip to first unread message

Aykhan Huseynli

unread,
Oct 3, 2022, 7:05:30 AM10/3/22
to Wazuh mailing list
Hi Team,

I'm trying to redirect Suricata logs to Wazuh dashboard but I ran into some problems. Let me briefly explain what I did so far.

On the endpoint's side did the following:
  1. Installed Suricata (Stable) version is 6.0.8
  2. Installed Npcap 1.71
  3. Downloaded and moved Suricata rules to C:\Program Files\Suricata\rules
  4. Run the 'suricata -c suricata.yaml -i 192.168.1.102 -l ./log -knone -vvv --service-install' command in cmd
  5. Checked the C:\Program Files\Suricata\log\eve.json file (logs are generated)
On the agents config side did the following:
  1. Edited the default group's config file. Added the lines below:
<agent_config>
    <localfile>
        <log_format>syslog</log_format>
        <location>C:\\Program Files\\Suricata\\log\\eve.json</location>
    </localfile>
</agent_config>

On the manager's side inside ossec.conf edited the following line: 
  1. <logall_json>yes</logall_json>
Furthermore, checked the '/var/ossec/logs/archives/archives.json'. The screenshot is attached. 

Please feel free to contact me if you need any further information.

Best Regards,


var_ossec.png

Jose Antonio Izquierdo

unread,
Oct 3, 2022, 7:19:16 AM10/3/22
to Wazuh mailing list
Hi Aykhan, 

I think the issue is related to the default Suricata rules we include. 

Here - https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0475-suricata_rules.xml - you can find the default rules. By default, only even_type equal to alert will generate alerts you can see in your Dashboard. 
Your sample Suricata log is a TLS event_type, so you won't see it in the dashboard unless you modify the ruleset. 

You can modify it by adding the event_types you want to report, as in the rule id 86601 for event_type equal to alert. Or you can change rule id 86600 by overwriting it and increasing the level from 0 to 3 or higher.

Please let me know if this makes sense and if you need any help with the ruleset setup.
Thanks
Jose.

Aykhan Huseynli

unread,
Oct 3, 2022, 9:40:30 AM10/3/22
to Wazuh mailing list
Thanks Jose!

Edited the rule as mentioned here and everything works fine now. The only thing which I regret now is that I have flooded the dashboard :)
In your opinion what would be the best practice regarding integration of Suricata and Wazuh? Which Rule ID is suggested to be redirected to Wazuh and which one is not. A bit off-topic, but thought that you have experience in this matter.

Best Regards,

Reply all
Reply to author
Forward
0 new messages