Creating alert in Wazuh based on event writing in index

1,138 views
Skip to first unread message

Anhelina Sukhorebra

unread,
Oct 9, 2023, 7:00:29 AM10/9/23
to Wazuh | Mailing List

I have indexes in my Wazuh started with my_ubuntu_(creation date). It contains records about unsuccessfully login attempt to server. My task is creating alert when in index like this started writing information. Simply, when someone has failed login attempt i want to have an alert in Wazuh. I founded some information about creation rules and tried to find logs for rule field, but unfortunately i couldn't find. Can you please advice or provide some practise examples? Thnx

Md. Nazmur Sakib

unread,
Oct 9, 2023, 8:31:00 AM10/9/23
to Wazuh | Mailing List

Hi Anhelina Sukhorebra,



Hope you are doing well. Thank you for using Wazuh.


If the Wazuh agent is installed in your endpoint normally Wazuh shows alerts related to authentication. 


If you need help with Wazuh-agent installation check this document:

https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html


If you are trying to produce some alerts from specific logs that are not covered by Wazuh default rules and decoder. First, check if relevant logs are forwarded to your server.

For this, You can try the following steps:

Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation:Wazuh Documentation | logall


This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.log file.

Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.


Look for if there are any logs inside the archive log which is relevant to authentication failure. Use grep parameters related to the Firewall log.

cat /var/ossec/logs/archives/archives.log | grep Keywoard


Test those logs using logtest to find out if logs are decoded by decodes and rules.

Check this document to get help with the logtest tool.

https://documentation.wazuh.com/current/user-manual/ruleset/testing.html


Based on the findings of your logtest write custom decoders and rules.

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html



I hope this helps. Let me know If you need any further information or assistance.


Regards

Md. Nazmur Sakib

Anhelina Sukhorebra

unread,
Oct 9, 2023, 10:50:15 AM10/9/23
to Wazuh | Mailing List
Dear Md. Nazmur Sakib,
Sorry for miscommunication. I forgot t o tell about some important details:
- indices my_ubuntu_(creation date) creates via automatisation script (writing to index via python elasticsearch api).
- my purpose: to see my indices in security event for visualisation how it works;
-  the final goal: be able to see alerts in security event every time when information is written to index with my pattern (my_ubuntu_(creation date))

P.S /var/ossec/logs/archives/archives.log is empty. Nothing is being written.
Regards,

Md. Nazmur Sakib

unread,
Oct 17, 2023, 7:47:01 AM10/17/23
to Wazuh | Mailing List

Hi Anhelina Sukhorebra,

Hope you are doing well.


The /var/ossec/logs/archives/archives.log file is empty because you have not enabled the logall option.

You can use a local configuration file on the Wazuh agent or Wazuh server to monitor log files. Using this you can send the logs from the file that contains records about unsuccessfully login attempts to the server.


Check this document to learn more about Configuration for monitoring log files.


https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html


Also check the supported log formats.

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#log-format


Ex:

<localfile>

  <location>/<FILE_PATH>/file.log</location>

  <log_format>syslog</log_format>

</localfile>


Next, you can check if the logs that you are referring to are arriving in the Wazuh manager. To check this please enable <logall> in ossec config.


Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation:

Wazuh Documentation | logall


This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log. After setting this option, restart the manager and check the archives.log file.


Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.


Look for if there are any logs inside the archive log related to Fortigate. Use grep parameters related to the authentication log.

cat /var/ossec/logs/archives/archives.log | grep KEYWORD


Test those logs using logtest to find out if logs are decoded by decodes and rules.

Check this document to get help with logtest tool

https://documentation.wazuh.com/current/user-manual/ruleset/testing.html


Based on the findings of your logtest write custom decoders and rules.

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Check this document for Ruleset XML syntax:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/inde


I hope this helps. Please let me know if you need any further information.


Regards

Md. Nazmur Sakib

Reply all
Reply to author
Forward
0 new messages