Hello again, Could you please show me some of the logs about Sonicwall that you're getting on the archives.log file? You could use this command: cat /var/ossec/logs/archives/archives.log | grep sonicwall
Maybe there are only events on that file that don't match to any specific Sonicwall rules available on the Ruleset, and those events won't be triggered as an alert on the alerts.json file. Thanks for your patience. Regards, Juanjo El jueves, 24 de mayo de 2018, 15:29:23 (UTC+2), Mikel Sheshi escribió: > > Hello again, > Modified the ossec.conf to level 1 > <ossec_config> > <global> > <jsonout_output>yes</jsonout_output> > <alerts_log>yes</alerts_log> > <logall>yes</logall> > <logall_json>yes</logall_json> > <email_notification>yes</email_notification> > <smtp_server>mail.domain.com</smtp_server> > <email_from>osse...@domain.com <javascript:></email_from> > <email_to>mikel....@domain.com <javascript:></email_to> > <email_maxperhour>12</email_maxperhour> > </global> > > <alerts> > * <log_alert_level>1</log_alert_level>* > <email_alert_level>12</email_alert_level> > </alerts> > But still don't see the sonicwall logs on the alerts.json > ( I see them on archives.json ) > > Thank you > Mikeli > > On Thursday, May 24, 2018 at 12:58:59 PM UTC+2, Juanjo Jiménez wrote: >> >> Hello again Mikel, >> >> If you receive Sonicwall events on the archives.log file, then you >> should see them on the alerts.json file, BUT only if they are from *at >> least level 3* or higher. >> >> This setting can be found inside the <alerts> tag on your ossec.conf >> file: >> <alerts> >> <log_alert_level>3</log_alert_level> >> <email_alert_level>12</email_alert_level> >> </alerts> >> >> By default, the value is 3, but you can change it to 1, so you'll see all >> the Sonicwall alerts starting from level 1. Keep in mind that, according to >> the Sonicwall rules from our Ruleset repository >> <https://github.com/wazuh/wazuh-ruleset/blob/v3.2.2/rules/0080-sonicwall_rules.xml>, >> >> some of them are level 0, and those rules will never trigger alerts on the >> alerts.json file. >> >> Try changing the <log_alert_level> to 1 and then, restart the manager: >> systemctl restart wazuh-manager >> >> Let me know if now you can see Sonicwall alerts on the alerts.json file. >> If so, then they will appear on the Kibana app, just like I mentioned you >> in my previous message. >> >> If you still have questions, please let me know. >> >> Regards, >> Juanjo >> >> El jueves, 24 de mayo de 2018, 11:53:42 (UTC+2), Mikel Sheshi escribió: >>> >>> Hello Juanjo, >>> Thank you for the reply >>> The problem is that I can see the logs of the Sonicwall on the directory >>> /var/ossec/logs/archives >>> But I don't see them on /var/ossec/logs/alerts >>> >>> I receive the logs on Archives folder , but I don't receive any alert >>> about them on alerts.json >>> The question is : How to move the Sonicwall syslogs to the Alerts.json >>> file ? >>> >>> Thanks >>> Mikeli >>> >>> On Wednesday, May 23, 2018 at 5:53:11 PM UTC+2, Juanjo Jiménez wrote: >>>> >>>> Hello Mikel, >>>> >>>> If you're getting Sonicwall alerts on the alerts.json file, you can >>>> see them in Kibana. Currently, we don't have a specific tab for Sonicwall >>>> alerts, but you can go to the *Overview* tab, and you'll see a search >>>> bar (circled in red) where you can type the following: >>>> rule.groups: sonicwall >>>> >>>> And press enter. This will filter the alerts by this group. You can >>>> also open the *Discover* view (circled in red) to see the alerts in a >>>> list-view mode, just like on Kibana's Discover tab on the left sidebar. >>>> >>>> >>>> <https://lh3.googleusercontent.com/-jtRSbeXeqps/WwWKq39XVsI/AAAAAAAAAIk/jP_IS45b-M4SfDp5et5GvCagt6mw7UMrgCLcBGAs/s1600/searchbar.PNG> >>>> >>>> Let me know if this works for you. >>>> >>>> Regards, >>>> Juanjo >>>> >>>> El miércoles, 23 de mayo de 2018, 15:21:57 (UTC+2), Mikel Sheshi >>>> escribió: >>>>> >>>>> Hello , >>>>> Is there any way to send sonicwall soslogs on Kibana dashboard (Wazuh >>>>> server) >>>>> I have set the logall option to "Yes" on ossec.conf >>>>> <jsonout_output>yes</jsonout_output> >>>>> <alerts_log>yes</alerts_log> >>>>> <logall>yes</logall> >>>>> I receive the logs on the /var/ossec/logs/archives >>>>> >>>>> But I want to see the alerts on Kibana dashboard gui >>>>> >>>>> >>>>> - The file /var/ossec/logs/archives/archives.json contains all >>>>> events whether they tripped a rule or not. >>>>> - The file */var/ossec/logs/alerts/alerts.json* contains only >>>>> events that tripped a rule. >>>>> >>>>> I want to see the sonicwall syslogs on alerts.json on Kibana in the >>>>> same way that I see the wazuh agent logs >>>>> >>>>> Thanks >>>>> Mikeli >>>>> >>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
