Wazuh start and upgrade
156 views
Skip to first unread message
Николай Коротыгин
Jan 3, 2023, 2:27:02 PM1/3/23
to Wazuh mailing list
Good night people.
I'm new in this business.
Please tell me how to use this product so that with the help of integrity control you can control your Linux(server) and Windows(server) systems. There are a lot of events happening everywhere, how do I find out which ones I need (default manager installation)
Installed: Wazuh ossec 4.3.9 already exists 4.3.10 is just around the corner 4.4 How to upgrade to the current offline version
I read the documentation and understand how this product works.
I track logs in another SIEM system
Thanks for the help!!!!!
Lucio Donda
Jan 3, 2023, 2:59:48 PM1/3/23
to Wazuh mailing list
Hi Nikolai!
Just a couple of things in order to clear the request:
Wazuh has several components for integrity control (here you can find a list of them), all those events you name are somehow filtered according to your needs, and based on that you can generate alerts, active responses (action), or store them for later use (analysis).
Wazuh central components can only be installed on Linux OSes, where the logs will be sent to be analyzed among other things. For windows server systems you could install wazuh agents, but you will need to make them accessible to the Linux servers where the manager is running.
I'm guessing that you have installed wazuh sever on a single machine (as defined here). You could update offline the central components by downloading the needed packages (guide over here). For upgrading the agents, could be done from the manager remotely as defined here.
If your need better-explained examples we have a proof of concept guide with several use cases.
Have a great day!
Just a couple of things in order to clear the request:
Wazuh has several components for integrity control (here you can find a list of them), all those events you name are somehow filtered according to your needs, and based on that you can generate alerts, active responses (action), or store them for later use (analysis).
Wazuh central components can only be installed on Linux OSes, where the logs will be sent to be analyzed among other things. For windows server systems you could install wazuh agents, but you will need to make them accessible to the Linux servers where the manager is running.
I'm guessing that you have installed wazuh sever on a single machine (as defined here). You could update offline the central components by downloading the needed packages (guide over here). For upgrading the agents, could be done from the manager remotely as defined here.
If your need better-explained examples we have a proof of concept guide with several use cases.
Have a great day!
Николай Коротыгин
Jan 4, 2023, 1:37:14 PM1/4/23
to Wazuh mailing list
Good evening, thank you so much for your quick response.
I don't think I expressed myself correctly.
My installation option is https://documentation.wazuh.com/current/deployment-options/offline-installation.html . Only Installing the Wazuh server on Centos OS 7
1) The question is how can I update the Wazuh (ossec) server to the current version without Internet access? I can update agents through WPK(affline).
2) I have a SIEM system that receives logs from the Wazuh server. But there are a lot of them, how to figure it out? I have an agent on 166 Windows and Linux servers. How to understand which logs are interesting to me and which are not? configuring agents by default
вторник, 3 января 2023 г. в 22:59:48 UTC+3, lucio...@wazuh.com:
Lucio Donda
Jan 5, 2023, 10:56:49 AM1/5/23
to Wazuh mailing list
Nikolai!
Sorry for the late response.
I couldn't find any particular documentation for an offline upgrade, I'm thinking of 2 options
The first one would be downloading the respective package (wazuh manager) and installing it from the package itself (here you will find the last versions of all of them).
The second one is using the same procedure you followed earlier, once 4.4 is released, all packages needed will be available to download, whether you do it directly or by the wazuh-install.sh script. If you do a little test, you will find out that the package administrator handles the version itself, it would upgrade it if you have an older version.
Regarding logs, guessing you have already checked that wazuh is a SIEM itself (you could handle those logs internally avoiding any possible problem of interface with another app) but if that's not an option you could filter verbosity or enable/disable the different modules feeding the logs by modifying local_internal_options.conf setting .debug to 0 - 2 according what you're looking for. Or changing the source where those logs are obtained by adding or removing <localfile>, <remote>, etc on ossec.conf
As stated there, there's a pre-decoding phase where hostname and program_name are taken from part of the log header. and after that a Decoding phase where some extra info is obtained.
Having that in mind you will be able to see which agents are generating the logs (by hostname) and which programs also.
Windows log collection info: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html#how-to-collect-windows-logs
If there's no problem from your side can you answer me why are you trying or forced to use another SIEM alongside wazuh?
Hope that this answer suits you better, but please do not hesitate on any doubt.
Have a great day!
Sorry for the late response.
I couldn't find any particular documentation for an offline upgrade, I'm thinking of 2 options
The first one would be downloading the respective package (wazuh manager) and installing it from the package itself (here you will find the last versions of all of them).
The second one is using the same procedure you followed earlier, once 4.4 is released, all packages needed will be available to download, whether you do it directly or by the wazuh-install.sh script. If you do a little test, you will find out that the package administrator handles the version itself, it would upgrade it if you have an older version.
Regarding logs, guessing you have already checked that wazuh is a SIEM itself (you could handle those logs internally avoiding any possible problem of interface with another app) but if that's not an option you could filter verbosity or enable/disable the different modules feeding the logs by modifying local_internal_options.conf setting .debug to 0 - 2 according what you're looking for. Or changing the source where those logs are obtained by adding or removing <localfile>, <remote>, etc on ossec.conf
As stated there, there's a pre-decoding phase where hostname and program_name are taken from part of the log header. and after that a Decoding phase where some extra info is obtained.
Having that in mind you will be able to see which agents are generating the logs (by hostname) and which programs also.
Windows log collection info: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html#how-to-collect-windows-logs
If there's no problem from your side can you answer me why are you trying or forced to use another SIEM alongside wazuh?
Hope that this answer suits you better, but please do not hesitate on any doubt.
Have a great day!
Reply all
Reply to author
Forward
0 new messages