Suricata not display geolocation ip
244 views
Skip to first unread message
Muhammad Akmalul Hakim Samsuri
Jan 26, 2024, 8:00:16 AM1/26/24
to Wazuh | Mailing List
Hello,
Hi all. I would like any help. Here i use Suricata features in my wazuh. My problem is there is no show geolocation in dashboard. below is attached sample shown.
But on other than Suricata alert show the geolocation. also attached in picture below.
So i need help to solve my issue. Thanks in advance.
Hi all. I would like any help. Here i use Suricata features in my wazuh. My problem is there is no show geolocation in dashboard. below is attached sample shown.
But on other than Suricata alert show the geolocation. also attached in picture below.
So i need help to solve my issue. Thanks in advance.
ORENG ACADEMY SDN BHD CONFIDENTIALITY NOTICE & DISCLAIMER
The contents of this e-mail and its attachment, if any ("message") are intended for the named addressee only and may contain confidential information. If you are not the named addressee, you must not copy this message or disclose it to any other person. If you received this message by error, you should delete this message immediately and notify the sender by return e-mail.
ORENG ACADEMY SDN BHD disclaims all liability for any error, loss or damage arising from this message being infected by computer virus or other malicious software. The views and other information in this message that do not relate to the official business of ORENG ACADEMY shall not be deemed provided nor endorsed by ORENG ACADEMY SDN BHD
Luis Daniel Avendaño Larios
Jan 26, 2024, 10:54:52 AM1/26/24
to Wazuh | Mailing List
Hi
Muhammad,
Thanks for using wazuh!
I understand that you’re having trouble displaying geolocation data for Suricata alerts on your Wazuh dashboard. Here are some steps you can take to troubleshoot this issue:
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
</ossec_config>
Reference:
https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html
I hope this helps, let me know if you need anything else.
Thanks for using wazuh!
I understand that you’re having trouble displaying geolocation data for Suricata alerts on your Wazuh dashboard. Here are some steps you can take to troubleshoot this issue:
- Wazuh Agent Configuration: Add the following configuration to the /var/ossec/etc/ossec.conf file of the Wazuh agent. This allows the Wazuh agent to read the Suricata logs file:
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
</ossec_config>
- After adding this configuration, restart the Wazuh agent to apply the changes.
- Enable GeoIP & Location Data in Wazuh: This requires the USE_GEOIP=yes building flag and a GeoIP database. Wazuh supports the legacy Maxmind GeoLite format, and the updated and maintained databases use the new GeoLite2 format It should be converted to the legacy format using an external tool. It requires additional configuration sections on internal_options.conf and ossec.conf file.
- Check Suricata Configuration: Make sure the eve log is enabled in your Suricata configuration (/etc/suricata/suricata.yaml). Also, check the log rotate options to avoid logs growing too big.
Reference:
https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html
I hope this helps, let me know if you need anything else.
Reply all
Reply to author
Forward
0 new messages