wazuh integration with palo
109 views
Skip to first unread message
Black Burn
Nov 28, 2024, 7:44:46 AMNov 28
to Wazuh | Mailing List
Hi everyone,
I downloaded the wazuh ova from official page and i deployed it to vcenter. I deployed it for testing wazuh event management. Currently i started to send paloalto ngfw logs to wazuh. I can see incoming traffic in wazuh via tcpdump. But there is no log in "Discover". I added this to ossec.conf:
<ossec_config>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>palongfw-ip</allowed-ips>
<local_ip>wazuh-server-local-ip</local_ip>
</remote>
</ossec_config>
my wazuh version is 4.9.2
<ossec_config>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>palongfw-ip</allowed-ips>
<local_ip>wazuh-server-local-ip</local_ip>
</remote>
</ossec_config>
my wazuh version is 4.9.2
Black Burn
Nov 28, 2024, 7:48:05 AMNov 28
to Wazuh | Mailing List
Please help me on this case.
Thanks in advance.
Olusegun Adenrele Oyebo
Nov 28, 2024, 1:10:19 PMNov 28
to Wazuh | Mailing List
Hello,
Have you checked the archive.log file if you'll see the logs there?
Enable archive logging on the Wazuh server using the below procedures. Archive logs captures all events, regardless of whether they trigger a rule or not (reference):
If you see the logs in the file, then you'll need to create custom rules and decoders by using the below links as guide.
Best regards.
Enable archive logging on the Wazuh server using the below procedures. Archive logs captures all events, regardless of whether they trigger a rule or not (reference):
- Go to the file /var/ossec/etc/ossec.conf and enable <logall_json> (screenshot attached).
- Save the changes and restart the Wazuh manager service
- service wazuh-manager restart
- You can then monitor the archive.log file
- tail -f /var/ossec/logs/archives/archives.log
If you see the logs in the file, then you'll need to create custom rules and decoders by using the below links as guide.
- https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.html
- https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
I hope this helps. If you have any other query, do not hesitate to ask
Black Burn
Nov 29, 2024, 6:21:54 AMNov 29
to Wazuh | Mailing List
Hello,
Yes i found the logs after configuration logall json. I found in archive.log. I found these informations for palo:
https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0700-paloalto_rules.xml
https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0505-paloalto_decoders.xml
https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0700-paloalto_rules.xml
https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0505-paloalto_decoders.xml
But i dont know what is next?
Olusegun Adenrele Oyebo
Nov 30, 2024, 3:18:16 PMNov 30
to Wazuh | Mailing List
Hello,
Since you can see the logs in the archive.json file but not on the dashoard, it seems the logs are not matching with the default paloalto rules and decoders hence you'll need to create your own custom decoders and rules for the logs. Can you share with me a sample of the log as it appears in the archive.json file so as to test in my lab.
Will be expectng your feedback.
Best regards.
Black Burn
Dec 2, 2024, 1:39:30 AMDec 2
to Wazuh | Mailing List
Hi,
I decreased alert level and currently i can see some system logs of palo on wazuh dashboard. But there is no traffic, threat and etc. logs there. Can you share with me your decoders, rules with me?
Is there any way to send logs to dashboard without decoders, rules. I need just store logs on some log server with parsing or without parsing.
Is there any way to send logs to dashboard without decoders, rules. I need just store logs on some log server with parsing or without parsing.
Black Burn
Dec 2, 2024, 1:41:35 AMDec 2
to Wazuh | Mailing List
There is configuration of ossec.conf
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
Black Burn
Dec 2, 2024, 6:53:33 AMDec 2
to Wazuh | Mailing List
There is another question i have. How do i need to add decoders or rules?
Olusegun Adenrele Oyebo
Dec 2, 2024, 7:17:41 AMDec 2
to Wazuh | Mailing List
Hello,
If you want to send logs to the Wazuhh dashboard without decoders and rules, then you'll need to enable Wazuh archiving and visualize the events on the dashbaord. This ships and save logs to the Wazuh server whether they trigger a rule or not, but using decoders and rules will help to identify relevant data elements from the log messages and trigger alerts based on specific patterns in the decoded events. If you still decide to enable archive logging, you can use the below link as guide
Note: The Wazuh archives retain logs collected from all monitored endpoints, therefore consuming significant storage resources on the Wazuh server over time. So, it is important to consider the impact on disk space and performance before enabling them.
Based on your other query on adding decoders and rules, I already shared in my previous response some guides that will be helpful to you. I'll share them again:
If you'll still need further assistance on this, you can share with us sample logs from alerts.json file.
I hope this helps. We remain attentive to your queries.
Best regards.
Black Burn
Dec 5, 2024, 8:51:47 AMDec 5
to Wazuh | Mailing List
Hi,
Im trying check this way:
i configured rsyslog for receive logs from specific host to some custom log file. Its working normally and it collecting the logs
After this case i want to make wazuh read this log file and make them visible in wazuh gui.
I checked the option you said. But when i change the configuration --
<logall>yes</logall>
<logall_json>yes</logall_json>
like this in this case its collecting logs to archive.log and /var/ossec/logs/archives/2024/Dec also. Totally in this case i am collecting logs to in several files. Its not suitable for me due to storage issues.
i configured rsyslog for receive logs from specific host to some custom log file. Its working normally and it collecting the logs
After this case i want to make wazuh read this log file and make them visible in wazuh gui.
I checked the option you said. But when i change the configuration --
<logall>yes</logall>
<logall_json>yes</logall_json>
like this in this case its collecting logs to archive.log and /var/ossec/logs/archives/2024/Dec also. Totally in this case i am collecting logs to in several files. Its not suitable for me due to storage issues.
Olusegun Adenrele Oyebo
Dec 7, 2024, 6:27:27 AMDec 7
to Wazuh | Mailing List
Hello,
Yes, from my previous mail, I already mentioned the storage issues when it comes to enabling the archive logging for a long time. In your case, you can just set only the <logall_json>yes</logall_json> option, and this will allows you to create an index that can be used to visualize the events on the Wazuh dashboard. If you still have concerns about the storage consumption, will suggest you disable it and then create custom rules and decoders which will help to identify relevant data elements from the log messages and trigger alerts based on specific patterns in the decoded events. You'll need to choose one of the two options.
I hope this provided clarity. We remain attentive to your queries.
Best regards.
Reply all
Reply to author
Forward
0 new messages