How to view rookit alerts in Wazuh dashboard?
74 views
Skip to first unread message
Flávio Tom
Jun 28, 2023, 8:25:39 PM6/28/23
to Wazuh mailing list
I'm looking at the Wazuh logs alert via terminal and I found the following alerts:
{
"timestamp": "2023-06-28T13:28:23.713-0300",
"rule": {
"level": 7,
"description": "Host-based anomaly detection event (rootcheck).",
"id": "510",
"firedtimes": 2,
"mail": false,
"groups": [
"ossec",
"rootcheck"
],
"pci_dss": [
"10.6.1"
],
"gdpr": [
"IV_35.7.d"
]
},
"agent": {
"id": "025",
"name": "cron-01",
"ip": "192.168.0.1"
},
"manager": {
"name": "wazuh"
},
"id": "1687969703.302985",
"full_log": "Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic).",
"decoder": {
"name": "rootcheck"
},
"data": {
"title": "Trojaned version of file detected.",
"file": "/usr/bin/diff"
},
"location": "rootcheck"
}
"timestamp": "2023-06-28T13:28:23.713-0300",
"rule": {
"level": 7,
"description": "Host-based anomaly detection event (rootcheck).",
"id": "510",
"firedtimes": 2,
"mail": false,
"groups": [
"ossec",
"rootcheck"
],
"pci_dss": [
"10.6.1"
],
"gdpr": [
"IV_35.7.d"
]
},
"agent": {
"id": "025",
"name": "cron-01",
"ip": "192.168.0.1"
},
"manager": {
"name": "wazuh"
},
"id": "1687969703.302985",
"full_log": "Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic).",
"decoder": {
"name": "rootcheck"
},
"data": {
"title": "Trojaned version of file detected.",
"file": "/usr/bin/diff"
},
"location": "rootcheck"
}
But
accessing the Wazuh dashboard, inside the agent, in the "FIM: Recent
events" area, filtering only for that week, nothing appears.
How can I see these alerts on the dashboard?
Jose Camargo
Jun 28, 2023, 8:51:49 PM6/28/23
to Wazuh mailing list
Hi Flavio,
Can you please attach again the screenshot? As it is not visible.
Regarding how to visualize the alert, this specific alert is not visible from the FIM dashboard, but from the Security Events section, filtering by rule group:
Regards,
Jose Camargo
Flávio Tom
Jun 28, 2023, 11:04:30 PM6/28/23
to Wazuh mailing list
I tried that way and it didn't show any results.
Jose Camargo
Jun 29, 2023, 2:12:05 PM6/29/23
to Wazuh mailing list
Hi Flavio,
Do you see events in general in your Wazuh Dashboard? Or are these the only events you can't see?
If you don't see any events, you might have issues either with Filebeat or Wazuh-Indexer. Can you please check logs from both sides to see if you get any errors?
I'll be awaiting your comments.
Regards,
Jose Camargo
Flávio Tom
Jun 29, 2023, 3:56:57 PM6/29/23
to Wazuh mailing list
Hi,
After restarting all servers it started updating errors.
After restarting all servers it started updating errors.
Jose Camargo
Jun 29, 2023, 4:39:52 PM6/29/23
to Wazuh mailing list
Hi Flavio,
That's great! Do not hesitate in contacting us again if anything comes up.
That's great! Do not hesitate in contacting us again if anything comes up.
Regards,
Jose Camargo
Reply all
Reply to author
Forward
0 new messages