Netflow guidelines in wazuh

[Azhar Hj.Mohd Ghazali]

Hi team

Kindly provide me the steps ot any useful links  on how to configure netflow data log transfer into wazuh environments.

Many thanks.

[eva....@wazuh.com]

Hello,

You can configure CISCO device to send logs to Wazuh manager via Syslog. Then, you should add a configuration block as follow in ossec.conf:

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>tcp</protocol>
  <allowed-ips>10.0.0.0/24</allowed-ips>
  <local_ip>10.0.0.2</local_ip>
</remote>

Here you specify the communication method (Syslog), connection method, port, network, and Wazuh manager IP.

You can read more about it in our documentation.

I hope it helps you.

Regards,
Eva

​

[Azhar Hj.Mohd Ghazali]

Hi

Thanks for the reply.

One more question how do i use that log of netflow index and represent it to kibana dashboard.

There we need to see the ip, src ip, dest ip protocol bytes etc.

Appreciate your help.

Thanks

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/349e7ce5-082a-4cd7-be83-906fbec3abd1n%40googlegroups.com.

[eva....@wazuh.com]

You are welcome!

Once Wazuh manager receives the events, It processes them using ruleset detection.

You should set rules and decoders for Netflow events. You can follow our documentation to create them.

If you send us some log examples, we will help you.

Regards,
Eva

[Azhar Hj.Mohd Ghazali]

Hi,

I just downgrade filebeat from 7.9.1 to 7.6 to have netflow modules. Manage to enable but once restarted the filebeat services.

here the error message ,

What i have miss here, pls help.

Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c1ff3bdb-1e13-44dc-b70f-59a901d31a59n%40googlegroups.com.

[eva....@wazuh.com]

It seems to be caused by the versions. You can check the version's compatibility here. Additionally, you should check the version compatibility in Elastic Stack.

If the versions are compatible, send us some log messages and filebeat configuration to help you.

Regards,
Eva

[Azhar Hj.Mohd Ghazali]

Hi Eva,

I am using filebeat 7.10.2

once start filebeat got error,

this is logstash LOG

Pls advise.

BR,

Azhar

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2f4a888b-7f9a-4698-9a89-f344b4c1230en%40googlegroups.com.

[Mariano Koremblum]

Hi Azhar!

It seems that there are some permissions missing on the “/usr/shared/logstash” directory. Please try to add writing and reading permissions to all users on this directory by running the following command:

# chmod -R ugo+rw /usr/shared/logstash/

Let me know if it worked and if we can help you with something else :)

PS: Please, remind to open a new “conversation” (google group thread) for each new question/doubt/issue you want to talk about that is not related with the current conversation header/title, or, at least, mention that you will start a question that is not a consequence of previous messages on the thread. Doing so will help the community to find solutions or answers easier and faster, thanks in advance!

Regards,

Nicolás Mariano Koremblum

​

[Azhar Hj.Mohd Ghazali]

Hi Mariano

I have followed the steps (chmod -R ugo+rw <path>),  and enable back the netflow modules. 

Restart filebeat and find another error coming as below :

Pls help.

Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/76679f33-11e9-48a2-b290-01d2bd9c548cn%40googlegroups.com.

[Mariano Koremblum]

Hi Azhar, can you please verify if the Elasticsearch service is running? In the case that is not running, please restart it and check again if it is working.

In order to do so, first check:

# systemctl status elasticsearch.service

If this service is not running, then run:

# systemctl restart elasticsearch.service

and then run the first command again in order to check that it started correctly.

When this service is running, try restarting again the Filebeat service.

Let us know how it goes. Regards,

Nicolás Mariano Koremblum

​

[Azhar Hj.Mohd Ghazali]

Hi Mariona,

Yes, it was running and then i restarted again the elasticesearch.and filebeat.

Same error from logstash

Pls help.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5dc87bd5-9b50-4824-be66-9f7d1443649en%40googlegroups.com.

[Mariano Koremblum]

Hi,

Please, if you can, attach in this thread the following files (if you have them) in order to have a better understanding of the problem:

• /etc/elasticsearch/elasticsearch.yml  
• /etc/filebeat/filebeat.yml  
• /etc/logstash/logstash.yml  

Regards

[Azhar Hj.Mohd Ghazali]

Hi Mariano,

Sure.

As attached are the 3 files you requested.

Appreciate your help.

Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f1021872-76e6-4b20-83bf-98b0c772a7f9n%40googlegroups.com.

[Mariano Koremblum]

Hi Azhar,

Additionally to the “chmod” you did before, please try adding execution permissions too, as follows:

# chmod -R ugo+x /usr/shared/logstash/

After doing this, try restarting all the modules involved:

# systemctl restart elasticsearch.service
# systemctl restart logstash.service
# systemctl restart filebeat.service

And then, check that these three are correctly running:

# systemctl status elasticsearch.service
# systemctl status logstash.service
# systemctl status filebeat.service

In case that it still doesn’t work, please copy/paste here the log errors (please, avoid pasting an image / screenshot of the log since it is harder to process).

Additionally, try connecting to the elasticsearch service by means of using “curl” as follows:

# curl -k  -XGET https://127.0.0.1:9200

Does this work? If not, please copy the output here too.

We will be waiting for your answer,

Regards

​

[Azhar Hj.Mohd Ghazali]

Hi mariano,

FYI, i have reinstall wazuh 4.0.4 and follow steps by steps from the docs:

i run curl command as below

But the weird thing, no netflow modules in filebeat path of modules.d. ?

Pls advise.

Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d8a0963e-940a-49d1-8d6d-81ad9af0c783n%40googlegroups.com.

[Mariano Koremblum]

Hi Azhar, sorry for the delay. We are doing some work in order to give you an answer. Thanks for the patience.

Regards,

[Mariano Koremblum]

Hi Azhar!

The NetFlow module is part of the Elastic Stack’s Filebeat product. You can have all the information related to it in the ES’s Netflow Module page. If you check the ES’ Subscriptions Matrix you can see that NetFlow module is not included on the Free and Open ¹ subscription, which is the one that Wazuh has at the time. So, by default you do not have such module in your system.

Despite this, you can still download manually the Filebeat package (with the BASIC license) which has the NetFlow module incorporated. In order to do so, and taking into account that you are using Filebeat 7.9.1, you can follow next steps in order to upgrade it:

1- Download the Filebeat 7.9.1 deb package:

# mkdir ~/filebeat_7_9_1/
# cd ~/filebeat_7_9_1/
# curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.9.1-amd64.deb

2- Install the Filebeat 7.9.1 deb package:

# dpkg -i ~/filebeat_7_9_1/filebeat-7.9.1-amd64.deb

3- List Filebeat modules:

# filebeat modules list

4- If the previous step throws the message “Error in modules manager: modules management requires ‘filebeat.config.modules.path’ setting”, do the following:

# echo "filebeat.config.modules.path: \${path.config}/modules.d/*.yml" >> /etc/filebeat/filebeat.yml
# filebeat modules list

5- If everything went right so far and the module is listed, you can now enable it:

# filebeat module enable netflow

There have been some changes on the ES Subscriptions lately, so please stay tuned for future changes on this topic.

I hope our answer helps you! We remain always at your disposal,

PS: Please, remind opening new conversations in the Wazuh's google group if the new questions/issues are not completely related to this thread, thanks in advance!

Regards,

Koremblum Nicolás Mariano

​

[Azhar Hj.Mohd Ghazali]

Hi Mariano

What do you mean "Basic License:" of filebeat 7..9.1. Do we need to purchase the license or subscribe the support.

Pls advise.

Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a2fd69f8-ac82-4915-86f2-9abb42f45acbn%40googlegroups.com.

[Mariano Koremblum]

Hi Azhar,

No, it is not necessary to acquire any license or subscription. As it says in the ES' License Management docs, when you install the default distribution free features are included with no expiration date.

Let us know if you could solve it!

Best regards,

Koremblum Nicolás Mariano