How to check Logs in wazuh for GCP

[Digvijay Singh]

Hello Team,

I have setup wazuh for my gcp environment and logs are moving through gcp pubsub modules but i want to check where these logs are moving in wazuh server, can you help me ?

[Alfonso Ruiz-Bravo]

Hello digvijay!!

I imagine you are using our integration with GCP, if not, I attach the documentation: 

https://documentation.wazuh.com/current/gcp/index.html

The basic flow would be as follows: 

1. Wazuh collects GCP events through its integration.

2. Wazuh analyzes the events and through its decoders and rules generates the alerts.
3. Filebeat sends the alerts to Elasticsearch where they can be viewed through Kibana.

Rules can be found in the following links:

https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0690-gcp_rules.xml

To answer your original question, let's differentiate between alerts and events:

Alerts

- You can view your GCP alerts in the alerts file alerts.json, located by default at /var/ossec/logs/alerts/alerts.json. This file contains all the alerts generated by the Wazuh manager, including those coming from GCP. 

- You can view your GCP alerts in Kibana (discover, security events in WUI, for example). A possible filter to find the alerts can be to filter by rule group: rule.group: gcp

Events

- It is possible that not all events collected by Wazuh GCP integration will generate an alert. These logs can be stored in the archives.json file in /var/ossec/logs/alerts/archives.json. To be able to store these events you should activate the setting logall_json in your manager configuration. If you enable this option the space used will be increased on your disk, on average, for each generated alert 10 events are analyzed. If you choose to store the events, your storage will increase considerably.

- If you enable archives.json you can also configure Filebeat to send these events to Elasticsearch and create an index-pattern to display the events in Kibana.

I hope I have solved your doubts. Do not hesitate to ask us anything.

Best regards,

Alfonso Ruiz-Bravo

[Digvijay Singh]

Hello Alfonso,

Thanks for your revert and yes I am using the same suggested integration with GCP and wondering where all the logs go because you said "Wazuh collects GCP events through its integration." so I just want to have look to those events and I am able to view the alerts and will be looking for archives.json files but again I just wanted to look for those GCP logs (Path of the GCP logs in wazuh server) which are consumed by wazuh and than wazuh process for alerting ? 

[Alfonso Ruiz-Bravo]

Hello Digvijay,

Perfect, then you just need to enable archives.json. In your /var/ossec/etc/ossec.conf enable the setting logall_json (in global section) and restart the Wazuh manager service. It will start storing all your events in  /var/ossec/logs/alerts/alerts.json. In this file you will be able to see all the GCP events that are parsed by the Wazuh manager, whether they generate an alert or not.

Regards,

Alfonso Ruiz-Bravo Cloud computing engineer The Open Source Security Platform

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/v8mNX9CXuK8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/31225f0b-61af-445d-91ce-2aaffdb99279n%40googlegroups.com.

[Digvijay Singh]

Hello Alfonso,

I am able to see the parsed GCP event but I am not looking for the parsed event I am looking for the raw event which generally GCP sends to wazuh and then wazuh does their intelligence using decoders and rules set.

So I am mostly looking for those event which as shipped from GCP to wazuh using pubsub channel, similarly like raw syslog, or other raw devices log.

[Alfonso Ruiz-Bravo]

Hello Digvijay,

Understood, I have reviewed the code of the integration and it sends directly the raw events to the Wazuh queue for analysis, that is to say, they are not written anywhere in raw because before sending them to the queue it formats them.

 Here is the function code that formats and sends events: https://github.com/wazuh/wazuh/blob/master/wodles/gcloud/integration.py#L88-L95

I think you could modify the code to handle the events before the event formatting, for example, before line 93:

https://github.com/wazuh/wazuh/blob/master/wodles/gcloud/integration.py#L93

Regards,

Alfonso Ruiz-Bravo Cloud computing engineer The Open Source Security Platform

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/338b605a-5be3-4335-95b4-ae40f20d9774n%40googlegroups.com.