geoLocation doesn't works
506 views
Skip to first unread message
Massao
Sep 20, 2022, 3:15:15 PM9/20/22
to Wazuh mailing list
Hi guys, I'm trying to use filebeat's geoLocation, but it just doesn't work.
None of the fields appear, neither in archives nor in alerts.
First I tried using the default pipelines (https://github.com/wazuh/wazuh/blob/4.1/extensions/filebeat/7.x/wazuh-module/alerts/ingest/pipeline.json). Didn't work, so I created a new one, like this: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-geoip.html#filebeat-configuring-geoip
My pipeline named geoLocation:
[
{
"json": {
"field": "message",
"add_to_root": true
}
},
{
"geoip": {
"field": "data.srcip",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.win.eventdata.ipAddress",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.aws.sourceIPAddress",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.gcp.jsonPayload.sourceIP",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"date": {
"field": "timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"ignore_failure": false
}
},
{
"date_index_name": {
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "{{fields.index_prefix}}",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": false
}
},
{
"remove": {
"field": "message",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "ecs",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "beat",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "input_type",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "tags",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "count",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "@version",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "log",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "offset",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "type",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "host",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "fields",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "event",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "fileset",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "service",
"ignore_missing": true,
"ignore_failure": true
}
}
]
My filebeat.yml:
None of the fields appear, neither in archives nor in alerts.
First I tried using the default pipelines (https://github.com/wazuh/wazuh/blob/4.1/extensions/filebeat/7.x/wazuh-module/alerts/ingest/pipeline.json). Didn't work, so I created a new one, like this: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-geoip.html#filebeat-configuring-geoip
My pipeline named geoLocation:
[
{
"json": {
"field": "message",
"add_to_root": true
}
},
{
"geoip": {
"field": "data.srcip",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.win.eventdata.ipAddress",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.aws.sourceIPAddress",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"field": "data.gcp.jsonPayload.sourceIP",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"date": {
"field": "timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"ignore_failure": false
}
},
{
"date_index_name": {
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "{{fields.index_prefix}}",
"index_name_format": "yyyy.MM.dd",
"ignore_failure": false
}
},
{
"remove": {
"field": "message",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "ecs",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "beat",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "input_type",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "tags",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "count",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "@version",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "log",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "offset",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "type",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "host",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "fields",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "event",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "fileset",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "service",
"ignore_missing": true,
"ignore_failure": true
}
}
]
My filebeat.yml:
output.elasticsearch:
hosts: ["IP"]
pipeline: geoLocation
protocol: https
username: "username"
password: "pass"
ssl.certificate_authorities:
- /path/cert
ssl.certificate: "/path/crt"
ssl.key: "/path/key"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.overwrite: true
setup.ilm.enabled: false
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: true
Delfina Lizarralde Bressan
Sep 20, 2022, 4:36:54 PM9/20/22
to Wazuh mailing list
Hello there!
Thanks for using wazuh!
The files look fine to me. Did you restart the filebeat service? You can force this by executing:
Thanks for using wazuh!
The files look fine to me. Did you restart the filebeat service? You can force this by executing:
filebeat setup --pipelines --modules wazuh
As a reminder, if you modify the pipeline.json file you should execute the command in every Wazuh manager in your environment.
Also, the default Wazuh installation includes an ingest pipeline that uses the Elasticsearch GeoIP processor to enrich events with geographical information associated with their source IP. However, this doesn't allow using custom Wazuh rules with GeoIP lookup results as part of the rule criteria: the GeoIP info is obtained after decoding and checking the event against the ruleset. You can see more info here.
Hope this helps you. If restarting the service does not work please contact me again.
Regards.
mass...@gmail.com
Sep 20, 2022, 5:00:48 PM9/20/22
to Wazuh mailing list
Hello, Delphine. Thanks for the answer!
I had already tried restarting the service this way and it didn't work.
I did it again, but still without success.
I had already tried restarting the service this way and it didn't work.
I did it again, but still without success.
Adam Pielak
Sep 20, 2022, 7:22:35 PM9/20/22
to mass...@gmail.com, Wazuh mailing list
Configure your manager to switch from writing alerts to alerts.json,
Section <global> on the top, lines:
<logall_json>yes</logall_json>
Make the following highlighted changes to /etc/filebeat/filebeat.yml
start shipping archives.json to the Wazuh indexer
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: true
Restart wazuh-manager and filebeat on your manager:
systemctl restart wazuh-manager
systemctl restart filebeat
On your manager, move aside the standard Wazuh Filebeat pipeline.json
cd /usr/share/filebeat/module/wazuh/ <archives / alerts> /ingest/
mv pipeline.json original-pipeline.json
You can user pipeline from url: https://github.com/branchnetconsulting/wazuh-tools/blob/master/pipeline.json
filebeat setup --pipelines --modules wazuh
While the stock Wazuh pipeline does do GeoIP lookups on the source IP field of events,
the extended pipeline does this for both source and destination IPs,
including both GeoIP and ASN lookups which are normalized to standard file names.
Pozdrawiam/Best regards,
Adam
Death Star Commander
Dark Lord of the Sith
The devil’s at his strongest while we’re looking the other way, like program running in the background silently, while we’re busy doing other shit.
Wiadomość napisana przez mass...@gmail.com <mass...@gmail.com> w dniu 9/20/22, o godz. 23:00:
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ed1ccac6-245b-44c0-98ea-3c634b6ea0e9n%40googlegroups.com.
mass...@gmail.com
Sep 21, 2022, 8:34:29 AM9/21/22
to Wazuh mailing list
Hey, Adam, thanks for the answer!
My manager already had this configuration.
I tested the new pipeline, however, it didn't work.
I just didn't understand the change that should be made in the pipeline.yml
My manager already had this configuration.
I tested the new pipeline, however, it didn't work.
I just didn't understand the change that should be made in the pipeline.yml
Adam Pielak
Sep 21, 2022, 11:24:46 AM9/21/22
to mass...@gmail.com, Wazuh mailing list
Can You show us screenshot form Kibana?
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c3cd7618-011c-480b-8601-9938e77b06b0n%40googlegroups.com.
0 new messages