Wazuh -thehive alert delay
335 views
Skip to first unread message
brijesh kumar
Jan 15, 2024, 7:23:24 AM1/15/24
to Wazuh | Mailing List
Hi team,
I have integrated Wazuh with Thehive following the steps motioned in below link.
Integration successful done and alerts are coming. However alerts are coming slow or the alerts showing in alerts tab or page hours later or even a day later. I don't know what happened or what the problem is here. Any another solution to receive the alerts from Wazuh in Thehive?? Or what should i do to avoid the delay of alerts coming.
Thanks
Brijesh
Eric Franco Fahnle
Jan 15, 2024, 9:39:21 AM1/15/24
to Wazuh | Mailing List
Hi Brijesh, hope you're doing great.
First, a few things to check:
1. Check the network connectivity between Wazuh and TheHive. Ensure that there are no network issues or bottlenecks affecting the alert transmission.
2. Monitor the system resources of the Wazuh manager and TheHive server. High resource utilization can lead to delays in processing and delivering alerts.
3. Review the logs of both Wazuh and TheHive for any error messages or warnings that could indicate the cause of the delay.
2. Monitor the system resources of the Wazuh manager and TheHive server. High resource utilization can lead to delays in processing and delivering alerts.
3. Review the logs of both Wazuh and TheHive for any error messages or warnings that could indicate the cause of the delay.
Second, some questions:
- The script you're using is exactly the same as the one posted in the blog?
- How many alerts do you have in your environment? Don't need an exact number, any approximate should be fine.
- Which version of Wazuh and TheHive are you using?
Regards!
Eric
brijesh kumar
Jan 19, 2024, 7:34:12 AM1/19/24
to Wazuh | Mailing List
Hi Eric,
Sorry for the delayed response, I was on leave for few days.
First, a few things to check:
1. Check the network connectivity between Wazuh and TheHive. Ensure that there are no network issues or bottlenecks affecting the alert transmission. - No connectivity issues observed.
2. Monitor the system resources of the Wazuh manager and TheHive server. High resource utilization can lead to delays in processing and delivering alerts. Right now we are using a temp machine with low 4gb ram and 100gb storage for testing purpose.
3. Review the logs of both Wazuh and TheHive for any error messages or warnings that could indicate the cause of the delay. Nothing like that observed whrn i did, can you guide how to check that.
2. Monitor the system resources of the Wazuh manager and TheHive server. High resource utilization can lead to delays in processing and delivering alerts. Right now we are using a temp machine with low 4gb ram and 100gb storage for testing purpose.
3. Review the logs of both Wazuh and TheHive for any error messages or warnings that could indicate the cause of the delay. Nothing like that observed whrn i did, can you guide how to check that.
- The script you're using is exactly the same as the one posted in the blog? Yes, and just changed the alert level to 6.
- How many alerts do you have in your environment? Don't need an exact number, any approximate should be fine. per day around - Per day 321,874 hits under index wazuh alerts for all rule level, but the rule level above 6 is less than 10 hits. Attaching snip FYR.
- Which version of Wazuh and TheHive are you using? Wazuh - 4.5 and TheHive - 5.2 free version
Eric Franco Fahnle
Jan 19, 2024, 1:20:36 PM1/19/24
to Wazuh | Mailing List
Hi Brijesh, no problem and thanks for all the info.
Another question I forgot to ask, do you have any other integrations apart from TheHive? Slack / Virustotal, etc.
My first guess would be resources. Integrations require plenty of resources and that may be causing your delays. Would you mind sharing the <integration> section of you ossec_conf? Please do not send any sensitive data like API Keys.
As per how to read the logs, I cannot help you on TheHive's side, but on the Wazuh manager integration errores are logged in /var/ossec/logs/ossec.log, so doing something grep -i -E "error|warn" /var/ossec/logs/ossec.log might be useful, although you may see other error logs not related to this.
Let me know about that ossec_conf part.
Regards!
Eric
brijesh kumar
Jan 22, 2024, 8:10:37 AM1/22/24
to Wazuh | Mailing List
Hi Eric,
we don't have any other integrations apart from thehive. Please see the snip attached as you asked.
Also no errors or warning observed while running the command grep -i -E "error|warn" /var/ossec/logs/ossec.log. see snip. Only info logs there.
Eric Franco Fahnle
Jan 23, 2024, 9:40:02 AM1/23/24
to Wazuh | Mailing List
Hi Brijesh, could you try filtering the integration section with <level>6</level>?
<integration>
<name>custom-w2thive</name>
<hook_url>...</hook_url>
<api_key>...</api_key>
<alert_format>json</alert_format>
<level>6</level>
</integration>
If the delays are being caused by resources, and given that you're willing to process alerts above level 6 as you've done inside the script, we may try to reduce the amount of alerts received by the script by specifying that filter.
Reference: https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#optional-filters
Don't forget to restart the manager after that.
Regards!
brijesh kumar
Jan 29, 2024, 8:36:18 AM1/29/24
to Wazuh | Mailing List
Hi Eric,
Applied the config as you mentioned above and so far it is working as expected. Will let you if I face any further delays. Thank you so much for the help. Have a Nice Day.
Thank you
Brijesh
brijesh kumar
Feb 5, 2024, 7:46:32 AM2/5/24
to Wazuh | Mailing List
It worked perfectly. Thank you Eric.
Thank you
Brijesh
Reply all
Reply to author
Forward
0 new messages