Wazuh Integration into Web Infrastructure
72 views
Skip to first unread message
Ivan Stricker
May 2, 2024, 3:44:06 AM5/2/24
to Wazuh | Mailing List
Hello everyone,
We are currently in the process of fully integrating Wazuh into our new WebApp infrastructure, which consists of approximately 700 Linux endpoints. Primarily, we are using Debian and Ubuntu as operating systems. The agents have already been deployed, and basic configurations such as vulnerability scanners have been implemented. Now, it's time to move away from the default settings through initial group configuration.
I've envisioned the following grouping structure for our configurations:
- **Linux-Basic**: Group with basic settings for all servers.
- **Linux-Frontend**: Includes Apache web servers, HA proxies, etc.
- **Linux-Backend**: Backends running Django and Java.
- **Linux-DB**: PostgreSQL database servers.
Given this structure, I would like to gather your recommendations on the modules to use as well as the configured log settings for each of the mentioned groups. Which specific logs should we prioritize to generate a maximum of relevant information? How would you ensure clarity and manage data retention?
### Frontend Server with Apache
```xml
<!-- Configuration specific for Apache Frontend Servers -->
<ossec_config>
<!-- Apache Access and Error Log Monitoring -->
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location> <!-- Access logs -->
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location> <!-- Error logs -->
</localfile>
<!-- Special Web Attack Detection Rules -->
<rule>
<id>31151</id> <!-- Rule ID for XSS attacks -->
<level>10</level>
<description>Cross Site Scripting Attack Detected</description>
<group>web,web_app</group>
</rule>
</ossec_config>
```
### Backend Server with Java/Django
```xml
<!-- Configuration for Java/Django Backend Servers -->
<ossec_config>
<!-- Application Log Monitoring -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/app/app.log</location> <!-- Application logs -->
</localfile>
<!-- Process and Anomaly Monitoring -->
<wodle name="command">
<tag>java_memory_usage</tag>
<command>ps aux | grep java</command>
<interval>1h</interval> <!-- Check every hour -->
<ignore_output>yes</ignore_output>
</wodle>
</ossec_config>
```
### Database Server with PostgreSQL
```xml
<!-- Configuration for PostgreSQL Database Servers -->
<ossec_config>
<!-- PostgreSQL Log Monitoring -->
<localfile>
<log_format>postgresql_log</log_format>
<location>/var/log/postgresql/postgresql-12-main.log</location>
</localfile>
<!-- Query Monitoring and Database Integrity -->
<rule>
<id>51005</id> <!-- Rule ID for suspicious SQL queries -->
<level>10</level>
<description>Suspicious SQL Query Detected</description>
<group>database,sql_injection</group>
</rule>
</ossec_config>
```
Looking forward to your inputs and thank you in advance for your support!
IS
We are currently in the process of fully integrating Wazuh into our new WebApp infrastructure, which consists of approximately 700 Linux endpoints. Primarily, we are using Debian and Ubuntu as operating systems. The agents have already been deployed, and basic configurations such as vulnerability scanners have been implemented. Now, it's time to move away from the default settings through initial group configuration.
I've envisioned the following grouping structure for our configurations:
- **Linux-Basic**: Group with basic settings for all servers.
- **Linux-Frontend**: Includes Apache web servers, HA proxies, etc.
- **Linux-Backend**: Backends running Django and Java.
- **Linux-DB**: PostgreSQL database servers.
Given this structure, I would like to gather your recommendations on the modules to use as well as the configured log settings for each of the mentioned groups. Which specific logs should we prioritize to generate a maximum of relevant information? How would you ensure clarity and manage data retention?
### Frontend Server with Apache
```xml
<!-- Configuration specific for Apache Frontend Servers -->
<ossec_config>
<!-- Apache Access and Error Log Monitoring -->
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location> <!-- Access logs -->
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location> <!-- Error logs -->
</localfile>
<!-- Special Web Attack Detection Rules -->
<rule>
<id>31151</id> <!-- Rule ID for XSS attacks -->
<level>10</level>
<description>Cross Site Scripting Attack Detected</description>
<group>web,web_app</group>
</rule>
</ossec_config>
```
### Backend Server with Java/Django
```xml
<!-- Configuration for Java/Django Backend Servers -->
<ossec_config>
<!-- Application Log Monitoring -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/app/app.log</location> <!-- Application logs -->
</localfile>
<!-- Process and Anomaly Monitoring -->
<wodle name="command">
<tag>java_memory_usage</tag>
<command>ps aux | grep java</command>
<interval>1h</interval> <!-- Check every hour -->
<ignore_output>yes</ignore_output>
</wodle>
</ossec_config>
```
### Database Server with PostgreSQL
```xml
<!-- Configuration for PostgreSQL Database Servers -->
<ossec_config>
<!-- PostgreSQL Log Monitoring -->
<localfile>
<log_format>postgresql_log</log_format>
<location>/var/log/postgresql/postgresql-12-main.log</location>
</localfile>
<!-- Query Monitoring and Database Integrity -->
<rule>
<id>51005</id> <!-- Rule ID for suspicious SQL queries -->
<level>10</level>
<description>Suspicious SQL Query Detected</description>
<group>database,sql_injection</group>
</rule>
</ossec_config>
```
Looking forward to your inputs and thank you in advance for your support!
IS
Gonzalo Acuña
May 6, 2024, 9:30:16 AM5/6/24
to Wazuh | Mailing List
Hi.
For the groups that you need more accessibility such as the apache server or the database, I recommend you to monitor the different resources of your agents such as CPU, memory, disk usage, etc. You can see this at https://wazuh.com/blog/monitoring-linux-resource-usage-with-wazuh/.
By defining custom rules, you can create an active response where when this rule is activated it can send you information when a resource is over its capacity.
Add File Integrity Monitoring for the different important files that you see that are critical and their modification can cause something to fail that you don't want to. For example, for the Java/Django part I would do it for Django's settings.py file.
For the groups that you need more accessibility such as the apache server or the database, I recommend you to monitor the different resources of your agents such as CPU, memory, disk usage, etc. You can see this at https://wazuh.com/blog/monitoring-linux-resource-usage-with-wazuh/.
By defining custom rules, you can create an active response where when this rule is activated it can send you information when a resource is over its capacity.
Add File Integrity Monitoring for the different important files that you see that are critical and their modification can cause something to fail that you don't want to. For example, for the Java/Django part I would do it for Django's settings.py file.
Reply all
Reply to author
Forward
0 new messages