Hello again Mikel, Those kinds of logs don't generate an alert on the alerts.json file. They're pretty basic log messages and if they do generate an alert, it would be a level 0 alert, so again, they won't appear on that file. More severe or critical logs, such as admin login failure, etc, should indeed generate an alert since they have higher alert levels.
I hope this clarifies your questions and doubts. In any case, don't hesitate to ask again. Regards, Juanjo El viernes, 25 de mayo de 2018, 16:12:51 (UTC+2), Mikel Sheshi escribió: > > > Hello again and thanks for the support, > In fact I receive only this type of warnings : > 2018 May 25 01:10:12 WazuhServerTirana->FirewallIP id=firewall > sn=C0EAE49Z345 time="2018-05-25 01:11:01" fw=publicIP pri=6 c=1024 m=537 > msg="Connection Closed" app=39 n=91292961 src=10.x.x.x:57595:X2 > dst=10.87.x.x:161:X2 srcMac=00:0c:29:5b:4d:a2 proto=udp/161 sent=107 > rcvd=128 spkt=1 rpkt=1 cdur=30250 rule="4 (Vodafone->Vodafone)" > fw_action="NA" > > 2018 May 25 01:10:09 WazuhServerTirana->FirewallIP id=firewall > sn=C0EAE49Z345 time="2018-05-25 01:10:59" fw=publicIP pri=6 c=262144 m=98 > msg="Connection Opened" n=11980860 src=10.80.x.x:36827:X0 > dst=x.x.x.x:123:X1 dstMac=00:00:5e:00:01:65 proto=udp/ntp sent=76 rule="1 > (LAN->WAN)" fw_action="NA" > > > On Thursday, May 24, 2018 at 4:58:03 PM UTC+2, Juanjo Jiménez wrote: >> >> Hello again, >> >> Could you please show me some of the logs about Sonicwall that you're >> getting on the archives.log file? You could use this command: >> cat /var/ossec/logs/archives/archives.log | grep sonicwall >> >> Maybe there are only events on that file that don't match to any specific >> Sonicwall rules available on the Ruleset, and those events won't be >> triggered as an alert on the alerts.json file. >> >> Thanks for your patience. >> >> Regards, >> Juanjo >> >> El jueves, 24 de mayo de 2018, 15:29:23 (UTC+2), Mikel Sheshi escribió: >>> >>> Hello again, >>> Modified the ossec.conf to level 1 >>> <ossec_config> >>> <global> >>> <jsonout_output>yes</jsonout_output> >>> <alerts_log>yes</alerts_log> >>> <logall>yes</logall> >>> <logall_json>yes</logall_json> >>> <email_notification>yes</email_notification> >>> <smtp_server>mail.domain.com</smtp_server> >>> <email_from>osse...@domain.com</email_from> >>> <email_to>mikel....@domain.com</email_to> >>> <email_maxperhour>12</email_maxperhour> >>> </global> >>> >>> <alerts> >>> * <log_alert_level>1</log_alert_level>* >>> <email_alert_level>12</email_alert_level> >>> </alerts> >>> But still don't see the sonicwall logs on the alerts.json >>> ( I see them on archives.json ) >>> >>> Thank you >>> Mikeli >>> >>> On Thursday, May 24, 2018 at 12:58:59 PM UTC+2, Juanjo Jiménez wrote: >>>> >>>> Hello again Mikel, >>>> >>>> If you receive Sonicwall events on the archives.log file, then you >>>> should see them on the alerts.json file, BUT only if they are from *at >>>> least level 3* or higher. >>>> >>>> This setting can be found inside the <alerts> tag on your ossec.conf >>>> file: >>>> <alerts> >>>> <log_alert_level>3</log_alert_level> >>>> <email_alert_level>12</email_alert_level> >>>> </alerts> >>>> >>>> By default, the value is 3, but you can change it to 1, so you'll see >>>> all the Sonicwall alerts starting from level 1. Keep in mind that, >>>> according to the Sonicwall rules from our Ruleset repository >>>> <https://github.com/wazuh/wazuh-ruleset/blob/v3.2.2/rules/0080-sonicwall_rules.xml>, >>>> >>>> some of them are level 0, and those rules will never trigger alerts on the >>>> alerts.json file. >>>> >>>> Try changing the <log_alert_level> to 1 and then, restart the manager: >>>> systemctl restart wazuh-manager >>>> >>>> Let me know if now you can see Sonicwall alerts on the alerts.json >>>> file. If so, then they will appear on the Kibana app, just like I >>>> mentioned >>>> you in my previous message. >>>> >>>> If you still have questions, please let me know. >>>> >>>> Regards, >>>> Juanjo >>>> >>>> El jueves, 24 de mayo de 2018, 11:53:42 (UTC+2), Mikel Sheshi escribió: >>>>> >>>>> Hello Juanjo, >>>>> Thank you for the reply >>>>> The problem is that I can see the logs of the Sonicwall on the >>>>> directory /var/ossec/logs/archives >>>>> But I don't see them on /var/ossec/logs/alerts >>>>> >>>>> I receive the logs on Archives folder , but I don't receive any alert >>>>> about them on alerts.json >>>>> The question is : How to move the Sonicwall syslogs to the Alerts.json >>>>> file ? >>>>> >>>>> Thanks >>>>> Mikeli >>>>> >>>>> On Wednesday, May 23, 2018 at 5:53:11 PM UTC+2, Juanjo Jiménez wrote: >>>>>> >>>>>> Hello Mikel, >>>>>> >>>>>> If you're getting Sonicwall alerts on the alerts.json file, you can >>>>>> see them in Kibana. Currently, we don't have a specific tab for >>>>>> Sonicwall >>>>>> alerts, but you can go to the *Overview* tab, and you'll see a >>>>>> search bar (circled in red) where you can type the following: >>>>>> rule.groups: sonicwall >>>>>> >>>>>> And press enter. This will filter the alerts by this group. You can >>>>>> also open the *Discover* view (circled in red) to see the alerts in >>>>>> a list-view mode, just like on Kibana's Discover tab on the left sidebar. >>>>>> >>>>>> >>>>>> <https://lh3.googleusercontent.com/-jtRSbeXeqps/WwWKq39XVsI/AAAAAAAAAIk/jP_IS45b-M4SfDp5et5GvCagt6mw7UMrgCLcBGAs/s1600/searchbar.PNG> >>>>>> >>>>>> Let me know if this works for you. >>>>>> >>>>>> Regards, >>>>>> Juanjo >>>>>> >>>>>> El miércoles, 23 de mayo de 2018, 15:21:57 (UTC+2), Mikel Sheshi >>>>>> escribió: >>>>>>> >>>>>>> Hello , >>>>>>> Is there any way to send sonicwall soslogs on Kibana dashboard >>>>>>> (Wazuh server) >>>>>>> I have set the logall option to "Yes" on ossec.conf >>>>>>> <jsonout_output>yes</jsonout_output> >>>>>>> <alerts_log>yes</alerts_log> >>>>>>> <logall>yes</logall> >>>>>>> I receive the logs on the /var/ossec/logs/archives >>>>>>> >>>>>>> But I want to see the alerts on Kibana dashboard gui >>>>>>> >>>>>>> >>>>>>> - The file /var/ossec/logs/archives/archives.json contains all >>>>>>> events whether they tripped a rule or not. >>>>>>> - The file */var/ossec/logs/alerts/alerts.json* contains only >>>>>>> events that tripped a rule. >>>>>>> >>>>>>> I want to see the sonicwall syslogs on alerts.json on Kibana in the >>>>>>> same way that I see the wazuh agent logs >>>>>>> >>>>>>> Thanks >>>>>>> Mikeli >>>>>>> >>>>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
