Wazuh Raw data events
1,018 views
Skip to first unread message
Eric
Apr 11, 2021, 10:22:29 PM4/11/21
to Wazuh mailing list
Hi Colleagues,
I'm a bit confuse of the Raw data events. Where is it? How can I check it on Wazuh,
As the picture on the below, we can see the events that occur on systems and on the network, flag suspicious ones as alerts, and if confirmed to be malicious, work them as incidents. The definitions we will be using in the class for events and incidents align with NIST SP800-53, GPG 13, PCI DSS, HIPAA
As far I know, on some situations, attackers can bypass the SIEM. Therefore rules can't detect them. We need use threat intelligence & apply machine learning algorithms. At the time, we need raw data events. Does anyone here who using raw data events do input for threat intelligence & apply machine learning algorithms? Please could you suggest to me?
Regards,
elw...@wazuh.com
Apr 12, 2021, 2:53:14 AM4/12/21
to Wazuh mailing list
Hello,
Raw events or all events send by the agents can be found in /var/ossec/logs/archives/archives.log (or archives.json) but it requires you to enable logall or logall_json (https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/global.html?highlight=logall#logall-json) in the Wazuh manager.
If you are using Elastic stack and indexing the archives/raw events into it then you might find this module https://www.elastic.co/what-is/elasticsearch-machine-learning for machine learning interesting.
Hope this helps.
Regards,
Wali
Raw events or all events send by the agents can be found in /var/ossec/logs/archives/archives.log (or archives.json) but it requires you to enable logall or logall_json (https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/global.html?highlight=logall#logall-json) in the Wazuh manager.
If you are using Elastic stack and indexing the archives/raw events into it then you might find this module https://www.elastic.co/what-is/elasticsearch-machine-learning for machine learning interesting.
Hope this helps.
Regards,
Wali
Eric
Apr 12, 2021, 3:28:28 AM4/12/21
to elw...@wazuh.com, Wazuh mailing list
Hello,
I need raw data events to do input for the FOSS that uses machine learning, not just the elastic stack. Do you know any other software that can do that?
Could you please point out the method to get raw data events from API or something like that?
Could you please point out the method to get raw data events from API or something like that?
Regards,
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b9cd1f97-bf98-43cb-b718-a08c9fb6497fn%40googlegroups.com.
elw...@wazuh.com
Apr 12, 2021, 6:27:20 AM4/12/21
to Wazuh mailing list
Hello,
The events/alerts are not currently accessible through the Wazuh API. You will need a forwarder (Filebeat in the case of Elastic Stack) or a script to read the events/alerts and send them to FOSS (I am not acquainted with it).
Hope it helps.
Regards,
Wali
The events/alerts are not currently accessible through the Wazuh API. You will need a forwarder (Filebeat in the case of Elastic Stack) or a script to read the events/alerts and send them to FOSS (I am not acquainted with it).
Hope it helps.
Regards,
Wali
elw...@wazuh.com
Apr 14, 2021, 2:28:48 AM4/14/21
to Wazuh mailing list
Adding up to my previous answer and if you are going to use Elasticstack, Wazuh provides a module for the archives/all events as you can find out here ( https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/open-distro/filebeat/7.x/filebeat_all_in_one.yml) that can be enabled by setting it to true ( archives:
enabled: false) then the events will be indexed under the index name `wazuh-archives-*`
Hope it helps.
Regards.
Wali
Hope it helps.
Regards.
Wali
Reply all
Reply to author
Forward
0 new messages