Query Related Making Custom Dashboards for syslog

[team blue]

Greetings!

Wazuh is working perfectly in our environment the only problem that we are facing is that  in case of syslog you have to monitor all the logs in a security logs which is very difficult is there anyway to make custom dashboards for syslog based logs as well like we have for the agents. The problem is that all the logs from switches, IDS, and firewalls are under security events. If we have separate dashboards for these logs it will be very helpful. Like we have in case of agents. Like there should be different dashboards for IDS, firewall, servers, and switches.

Regards. 

[Alejandro Ruiz Gonzalez]

Hello,

Thanks for using Wazuh!

You can create your custom dashboards based on the filter you need for it, to create it for instance you can select the groups of the alerts that you are trying to filter and then add it to a custom dashboard/visualization. 

You can find more information about creating custom dashboards below:

https://documentation.wazuh.com/3.10/user-manual/kibana-app/reference/custom-dashboard.html?highlight=custom%20dashboard

Let me know if that information was useful to you.

[team blue]

Greetings!

I wanted to make custom dashboards only for logs coming from specific devices like firewall, IDS, servers. If I select wazuh-alerts-* then it will make single custom dashboards for all the devices. How to make separate dashboards. Like if I want to make custom dashboard for firewall what should be my source index if I select wazuh-alerts-* then it is not only for firewall it basically includes alerts coming from all the devices.

Regards.

[Alejandro Ruiz Gonzalez]

Hello,

In this case you won´t be able to do that, because your logs from the specific devices are stored on the pattern wazuh-alerts-*. So in case you want to separate the different logs from these devices, you may use a filter that catch evey log for each device, such as the location where you are reading these logs on your Wazuh Agent.

Let me know if that information was useful to you.

[team blue]

Greetings!

I am trying to make a separate dashboard for different devices. For example, I want to build a custom dashboard for a firewall that will be different from the custom dashboard of IDS. Now I do not know what should be my source index If I use wazuh-alerts-*

then it will be a single custom dashboard. Now how to choose source index only for firewall alerts.

Regards.  

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5017347c-2416-48f6-8318-b48b6ec95d9fn%40googlegroups.com.

[Juan Carlos Tello]

Greetings,

You may create a dashboard and visualizations with built in filters for the location from which you are collecting the logs.

After creating your custom dashboards using the documentation provided by my colleague.

If you're using the Wazuh manager's remote syslog collection then you can filter with the IP of your source with the location field:

Furthermore, if you wish to filter for all logs whose location starts with a number you may edit the filter as a DSL query and use the following expression:

{
  "query": {
    "regexp": {
      "location": {
        "value": "[0-9].*"
      }
    }
  }
}

If you're using rsyslog to collect the logs and place them in a file then you can filter for that file's path instead of the IP.

Please let us know if you have any more questions.

Best regards,

Juan C. Tello

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CA%2BCNQt6zKFD4KXyP34FMAffg5Fy%3DiF4ROCdcMe529QLKneBa8w%40mail.gmail.com.