Wazuh receives data from the syslog but is not displayed in kibana

Daulet Kassymbekov

unread,

Sep 25, 2019, 4:29:15 AM9/25/19

to Wazuh mailing list

Hello command!!!
I'm testing Wazuh virtual machine. During testing included a localfile and syslog from port 514/udp/. But kibana does not see files. Also, does not see syslogs. please help me, what am I doing wrong???
Below are the settings and screenshots.

configuration ossec.conf (global,remote,local file)

<jsonout_output>yes</jsonout_output>

<alerts_log>yes</alerts_log>

<logall_json>yes</logall_json>

<email_notification>no</email_notification>

<smtp_server>smtp.example.wazuh.com</smtp_server>

<email_from>oss...@example.wazuh.com</email_from>

<email_to>reci...@example.wazuh.com</email_to>

<email_maxperhour>12</email_maxperhour>

<email_log_source>alerts.log</email_log_source>

</global>

<log_alert_level>1</log_alert_level>

<email_alert_level>12</email_alert_level>

</alerts>

.......

<connection>syslog</connection>

<allowed-ips>IP_adress_Firewall</allowed-ips>

</remote>

........

<ossec_config>

<location>/var/fortigate/*.log</location>

<log_format>syslog</log_format>

<target>fortigate_agent</target>

</localfile>

</ossec_config>>

2.wazuh receives syslog from port 514 and writes to a file archives.log

I tested one line from the logfile archives.log to ossec-logtest. result:

kibana web screenshots.
log collection

Juan Pablo Saez

unread,

Sep 25, 2019, 6:16:30 AM9/25/19

to Wazuh mailing list

Hi Daulet,

Let's trace the event route to know where it is being lost:

You have checked that syslog messages are received and recorded in /var/ossec/logs/archives/arhives.log . We know that the events are reaching the manager.
Now, you should check if these events generated alerts on /var/ossec/logs/alerts/alerts.log . You could check it with # cat /var/ossec/logs/alerts/alerts.log | grep 81603 .

Please, let me know if you find alerts corresponding these events.

Greetings, Juan Pablo Sáez

On Wednesday, September 25, 2019 at 10:29:15 AM UTC+2, Daulet Kassymbekov wrote:

Hello command!!!
I'm testing Wazuh virtual machine. During testing included a localfile and syslog from port 514/udp/. But kibana does not see files. Also, does not see syslogs. please help me, what am I doing wrong???
Below are the settings and screenshots.
configuration ossec.conf (global,remote,local file)
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>

<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>

Daulet Kassymbekov

unread,

Sep 25, 2019, 6:30:54 AM9/25/19

to Wazuh mailing list

Hi Juan Pablo Sáez!!!

Events do not generated on var/ossec/logs/alerts/alerts.log .

Below are the screenshots archives_log_new and alerts_log.

среда, 25 сентября 2019 г., 16:16:30 UTC+6 пользователь Juan Pablo Saez написал:

archives_log_new.JPG

alerts_log.JPG

Juan Pablo Saez

unread,

Sep 25, 2019, 7:02:50 AM9/25/19

to Wazuh mailing list

Hi again Daulet,

Events do not generated on var/ossec/logs/alerts/alerts.log

Ok, let's see what happens:

Could you paste the text version of your archive log events here? This way I can use it with debugging purposes. Of course, feel free to obfuscate the sensitive data.

Greetings, JP Saez

Daulet Kassymbekov

unread,

Sep 25, 2019, 8:44:26 AM9/25/19

to Wazuh mailing list

in this message download log and my modified decoder.

среда, 25 сентября 2019 г., 17:02:50 UTC+6 пользователь Juan Pablo Saez написал:

ossec-archive-21.log

0100-fortigate_decoders.xml

Juan Pablo Saez

unread,

Sep 25, 2019, 9:49:42 AM9/25/19

to Wazuh mailing list

Hello Daulet,

Do you have custom rules related to this custom decoders? If yes, could you please paste them here?

On the other hand, I want to remind that custom decoders out of /var/ossec/etc/decoders/local_decoder.xml and custom rules out of /var/ossec/etc/rules/local_rules.xml are removed on Wazuh upgrades so it's better to place your custom rules/decoders there.

Greetings, JP Sáez

Daulet Kassymbekov

unread,

Sep 25, 2019, 11:29:59 PM9/25/19

to Wazuh mailing list

HI!!! Ok. End of the file local_fortigate_decoders, I inserted Fortigate 6.0 decoders.And I deleted file 0100-fortigate_decoder.xml

below inserted file settings my ossec.conf (ruleset)

<decoder_dir>ruleset/decoders</decoder_dir>

<rule_dir>ruleset/rules</rule_dir>

<rule_exclude>0215-policy_rules.xml</rule_exclude>

<rule_exclude>0390-fortigate_rules.xml</rule_exclude>

<list>etc/lists/audit-keys</list>

<list>etc/lists/amazon/aws-eventnames</list>

<list>etc/lists/security-eventchannel</list>

<decoder_dir>etc/decoders</decoder_dir>

<rule_dir>etc/rules</rule_dir>

среда, 25 сентября 2019 г., 19:49:42 UTC+6 пользователь Juan Pablo Saez написал:

local_fortigate_decoders.xml

local_fortigate_rules.xml

Local_decoder kibana.JPG

local_rules.JPG

Juan Pablo Saez

unread,

Sep 26, 2019, 6:54:29 AM9/26/19

to Wazuh mailing list

Hi Daulet,

After analyzing your logs, seems like your fortigate events only trigger with 81603 ID rule.

To check if fortigate alerts reach Kibana correctly, you can increase the level of the 81603 rule from 0 to 3. Be careful because this way, all Fortigate events will generate an alert and the manager can be flooded quickly.

You can create new rules that fire according to the criteria you set. We can help you with this. Your new rules should point the 81603 rule

A tricky option is modiying the fortigate v6 decoder to make your logs match with the current rule.