Monitoring resources Wazuh
262 views
Skip to first unread message
Facu Basgall
May 9, 2024, 2:40:25 PM5/9/24
to Wazuh | Mailing List
Hi! I would like to know if there is the possibility, with wazuh or using some external api, to monitor the resources of the wazuh server itself to generate alerts when, for example, the disk is 90% of its capacity.
thank you very much
thank you very much
Stuti Gupta
May 9, 2024, 11:33:36 PM5/9/24
to Wazuh | Mailing List
Hi team!
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Please allow me some time. I'm looking into this query and will update you with an appropriate answer.
Stuti Gupta
May 10, 2024, 1:53:23 AM5/10/24
to Wazuh | Mailing List
Hi
Facu Basgall
There is a blog (https://wazuh.com/blog/monitoring-linux-resource-usage-with-wazuh/) that provides resource monitoring guidance you can apply that to your Wazuh server setup. To implement this, edit the Wazuh manager's /var/ossec/etc/ossec.conf file. Inside the <ossec_config> block, insert the following command monitoring configuration:
<!-- CPU, memory, disk metric -->
<localfile>
<log_format>full_command</log_format>
<command>echo $(top -bn1 | grep Cpu | awk '{print $2+$4+$6+$12+$14+$16}' ; free -m | awk 'NR==2{printf "%.2f\t\t\n", $3*100/$2 }' ; df -h | awk '$NF=="/"{print $5}'|sed 's/%//g')</command>
<alias>general_health_metrics</alias>
<out_format>$(timestamp) $(hostname) general_health_check: $(log)</out_format>
<frequency>30</frequency>
</localfile>
<!-- load average metrics -->
<localfile>
<log_format>full_command</log_format>
<command>uptime | grep load | awk '{print $(NF-2),$(NF-1),$NF}' | sed 's/\,\([0-9]\{1,2\}\)/.\1/g'</command>
<alias>load_average_metrics</alias>
<out_format>$(timestamp) $(hostname) load_average_check: $(log)</out_format>
<frequency>30</frequency>
</localfile>
<!-- memory metrics -->
<localfile>
<log_format>full_command</log_format>
<command>free --bytes| awk 'NR==2{print $3,$7}'</command>
<alias>memory_metrics</alias>
<out_format>$(timestamp) $(hostname) memory_check: $(log)</out_format>
<frequency>30</frequency>
</localfile>
<!-- disk metrics -->
<localfile>
<log_format>full_command</log_format>
<command>df -B1 | awk '$NF=="/"{print $3,$4}'</command>
<alias>disk_metrics</alias>
<out_format>$(timestamp) $(hostname) disk_check: $(log)</out_format>
<frequency>30</frequency>
</localfile>
Afterward, restart the Wazuh manager to apply the changes: systemctl restart wazuh-manager
Additionally, follow the instructions in the blog to add custom rules and decoders. Note that newly added custom fields created in the custom decoder might appear as unknown fields initially. This occurs because the Wazuh dashboard may not recognize the new fields. To rectify this, update the index pattern in the dashboard to include the new fields.
For creating visualizations and dashboards using alerts, ensure that all custom fields' data types are set to double. By default, the Wazuh indexer analyzes values from existing alerts as string data types. To change the default data type from string to double, modify the Wazuh template as outlined in the blog. Follow the steps provided in the blog to accomplish this task.
Hope this helps
There is a blog (https://wazuh.com/blog/monitoring-linux-resource-usage-with-wazuh/) that provides resource monitoring guidance you can apply that to your Wazuh server setup. To implement this, edit the Wazuh manager's /var/ossec/etc/ossec.conf file. Inside the <ossec_config> block, insert the following command monitoring configuration:
<!-- CPU, memory, disk metric -->
<localfile>
<log_format>full_command</log_format>
<command>echo $(top -bn1 | grep Cpu | awk '{print $2+$4+$6+$12+$14+$16}' ; free -m | awk 'NR==2{printf "%.2f\t\t\n", $3*100/$2 }' ; df -h | awk '$NF=="/"{print $5}'|sed 's/%//g')</command>
<alias>general_health_metrics</alias>
<out_format>$(timestamp) $(hostname) general_health_check: $(log)</out_format>
<frequency>30</frequency>
</localfile>
<!-- load average metrics -->
<localfile>
<log_format>full_command</log_format>
<command>uptime | grep load | awk '{print $(NF-2),$(NF-1),$NF}' | sed 's/\,\([0-9]\{1,2\}\)/.\1/g'</command>
<alias>load_average_metrics</alias>
<out_format>$(timestamp) $(hostname) load_average_check: $(log)</out_format>
<frequency>30</frequency>
</localfile>
<!-- memory metrics -->
<localfile>
<log_format>full_command</log_format>
<command>free --bytes| awk 'NR==2{print $3,$7}'</command>
<alias>memory_metrics</alias>
<out_format>$(timestamp) $(hostname) memory_check: $(log)</out_format>
<frequency>30</frequency>
</localfile>
<!-- disk metrics -->
<localfile>
<log_format>full_command</log_format>
<command>df -B1 | awk '$NF=="/"{print $3,$4}'</command>
<alias>disk_metrics</alias>
<out_format>$(timestamp) $(hostname) disk_check: $(log)</out_format>
<frequency>30</frequency>
</localfile>
Afterward, restart the Wazuh manager to apply the changes: systemctl restart wazuh-manager
Additionally, follow the instructions in the blog to add custom rules and decoders. Note that newly added custom fields created in the custom decoder might appear as unknown fields initially. This occurs because the Wazuh dashboard may not recognize the new fields. To rectify this, update the index pattern in the dashboard to include the new fields.
For creating visualizations and dashboards using alerts, ensure that all custom fields' data types are set to double. By default, the Wazuh indexer analyzes values from existing alerts as string data types. To change the default data type from string to double, modify the Wazuh template as outlined in the blog. Follow the steps provided in the blog to accomplish this task.
Hope this helps
Facu Basgall
May 10, 2024, 9:19:38 AM5/10/24
to Wazuh | Mailing List
thank you very much for your answer, that's what I needed.
Facu Basgall
May 10, 2024, 2:00:14 PM5/10/24
to Wazuh | Mailing List
I take this opportunity to ask you, is there something similar to do the same in agents with windows? thanks
Stuti Gupta
May 13, 2024, 12:36:27 AM5/13/24
to Wazuh | Mailing List
Hi Facu Basgall
For windows you can refer to https://wazuh.com/blog/monitoring-windows-resources-with-performance-counters/
Hope this helps
For windows you can refer to https://wazuh.com/blog/monitoring-windows-resources-with-performance-counters/
Hope this helps
Facu Basgall
Jun 19, 2024, 7:15:41 AM6/19/24
to Wazuh | Mailing List
Hi, I was trying to replicate the same thing on another Wazuh installation, but when I re-indexed the data I got a timeout error, I think it's because the daily indexes are between 2 and 4gb.
I left it for a few days thinking that it was going to settle and today when I check it I see that they were converted to doublue as the guide recommends but it is in conflict because other indexes were left as keyword.
Is there a way to fix it without deleting the indexes? This is a productive AIO environment with 100 agents.
I left it for a few days thinking that it was going to settle and today when I check it I see that they were converted to doublue as the guide recommends but it is in conflict because other indexes were left as keyword.
Is there a way to fix it without deleting the indexes? This is a productive AIO environment with 100 agents.
0 new messages