Questions tagged [wazuh]

93 questions
0
votes
1 answer

How do I compare two source IP from two different specific log in elastic search

In Elasticsearch I want to compare two logs (natlog and Gateway log) with DSL Query. In nat log there is srcip1 and In gateway log there is srcip2 I want to if this condition srcip1 === srcip2 satisfied, "agent.id" display in result. On top of it I…
0
votes
1 answer

Trouble in Wazuh 4 production cluster (docker) with lostash ouput in elasticsearch

I have the production cluster of Wazuh 4 with open-distro for elasticsearch, kibana and ssl security in docker and I am trying to connect logstash (a docker image of logstash) with elasticsearch and I am getting this: Attempted to resurrect…
Jo S.
  • 1
  • 2
0
votes
1 answer

Exporting wazuh graphs

Let me start by saying that I am not very familiar with wazuh and kibana. I am creating a web application in Angular and it is required for me to embed wazuh charts in it. Example chart that I need to export: I have been told that it is possible to…
m b
  • 1
  • 1
0
votes
1 answer

Wazuh Agent Connection Failure and corrupt payload error in log

I have given a Wazuh manager IP and user name and password. I installed the wazuh agent on my laptop but it is connected to the Manager IP. it is not returning the Authorization key and throw the errors in log file. Important Note: I am using VPS…
Harris
  • 1
  • 2
0
votes
1 answer

1000 max shards reached. I would like to increase or clear exisitng and start again. I have 5 servers I am monitoring

I tried to increase the shards with this...but to no avail. curl -XPUT 'http://206.189.196.214:9200/_cluster/settings -H 'Content-type: application/json' --data-binary $'{"transient":{"cluster.max_shards_per_node":5100}}'` I have a typo in the…
Deb
  • 3
  • 2
  • 4
0
votes
1 answer

Custom rules for WAZUH File integrity monitoring not present in Kibana FIM module (but are present under all events)

I am following the example of Wazuh FIM for Changing severity of the events. After applaying that rule I start receiving on Kibana events under new rule id: 100345, which is what I wanted (under all events section). But I stop receiving original…
user2704821
  • 412
  • 7
  • 17
0
votes
3 answers

Kibana Site cant be reached

So I'm trying to setup a Wazuh server, after installing it I got greeted with the messageThis site can't be reached. When I try to curl the IP with port like this: curl http://192.168.1.108:5601 it doesnt show anything, not even an error. Kibana is…
0
votes
1 answer

OSSEC adding allowed fields from decoders to rules description

I am using OSSEC for HIDS. I have created a custom decoder and extracted fields from the log like srcip, dstip and protocol. Here is the log tested with the ./ossec-logtest Sep 2 14:39:23 rana-HP-Notebook kernel: [21261.042146] [UFW BLOCK]…
0
votes
2 answers

WAZUH/OSSEC - overwriting rules doesn't seem to work

I'm trying to overwrite a rule as per documentation, like this https://documentation.wazuh.com/3.12/learning-wazuh/replace-stock-rule.html So I've copied one rule to local_rules.xml, created my own group (prior to that also tried to put it within…
Istvan Prosinger
  • 145
  • 2
  • 11
0
votes
1 answer

Change ossec(wazuh) agent profiles via saltstack

I'm trying to modify the section of a ossc.conf file, including a grains content. something like: ossec-profiles: - profile1 - profile2 and I want to modify the section from centos,…
0
votes
3 answers

NGINX logs in WAZUH

I am using NGINX in my setup, and wazuh for IDS. I want to check all nginx logs (access/error) logs in wazuh kibana, but I am unable to do so. All the logs are forwarded to " /var/ossec/logs/archives/archives.log ", and they are not visible in…
Sulaiman
  • 101
  • 1
  • 1
-1
votes
1 answer

How to change wazuh default index pattern from daily (wazuh-alerts-4.x-yyyy.mm.dd) to weekly (wazuh-alerts-4.x-xxxx.ww)

At first it's seem to be easy task since the config for creating this index is in /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json { "date_index_name": { "field": "timestamp", "date_rounding": "d", …
Hiep Ho
  • 314
  • 2
  • 7
-1
votes
1 answer

can anyone know how change Kibana style?

I wanna change the style of wazuh Kibana plugin I download source file from GitHub. and in source file which file I need to edit like I wanna change steps places like security, scan etc.??
-1
votes
1 answer

Your environment may not have any index with Wazuh's alerts

I'm getting this error when I am trying to reinstall elk with wazuh
-2
votes
1 answer

Docker and wazuh container deploy to lxc container on proxmox

#docker-compose up I get a system error from Wazun.indexer(failed to create shim task: OCI runtime create failed: runc create failed). how can i do for a good installation?