Hi,
I am not sure I understood what you need, do have Wazuh already installed and working? did you complete all the documentation steps so you can have all the out of the box dashboards? I can see you are receiving Windows events, do you need to create a special and dedicated dashboard for Windows Events ? You will need to use some filters in Kibana, for example: Get all the windows events: rule.groups: windows Get windows auth fail: rule.groups: win_authentication_failed Playing a little bit with that you can made this up in ten minutes (click here <https://lh3.googleusercontent.com/-qu9R3b5lhYU/V2SfRVQBRPI/AAAAAAAAAEs/HjBWo-Lkjxc1twKsH7jUKK52kIURK5LsgCLcB/s1600/Screenshot%2BKibana%2Bwindows%2Bendpoints%2Bdashboard.png>to open it in other window): <https://lh3.googleusercontent.com/-qu9R3b5lhYU/V2SfRVQBRPI/AAAAAAAAAEs/HjBWo-Lkjxc1twKsH7jUKK52kIURK5LsgCLcB/s1600/Screenshot%2BKibana%2Bwindows%2Bendpoints%2Bdashboard.png> Maybe you can get some info in the official Kibana dashboards docs. <https://www.elastic.co/guide/en/kibana/current/dashboard.html> If you need some help creating the dashboard just tell us or maybe we can talk through another channel (these are OSSEC lists :D) Best regards, Pedro S: On Friday, June 17, 2016 at 9:19:03 AM UTC-7, [email protected] wrote: > > Hello. > I installed ossec-wazzuh with kibana on linux server > i want to monitoring winddows eventlog from 2 active directory servers. > I have configured agent in linux for this servers and install ossec agent > in windows server > > The configuration agent from windows is > <ossec_config> > <client> > <server-ip>192.168.12.14</server-ip> > </client> > </ossec_config> > > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > > I recibe this log in kibana: > > {\"rule\":{\"level\":3,\"comment\":\"Windows User > Logoff.\",\"sidid\":18149,\"firedtimes\":1,\"groups\":[\"windows\"],\"PCI_DSS\":[\"10.2.5\"]},\"dstuser\":\"Administrador\",\"full_log\":\"2016 > > Jun 07 10:33:48 WinEvtLog: Security: AUDIT_SUCCESS(551): Security: > Administrador: PC-XP: PC-XP: Cierre de sesi\xF3n iniciada por el usuario: > Nombre usuario: Administrador Dominio: DOM.local Id. de inicio > de sesi\xF3n: (0x0,0xb73d9) > > \",\"id\":\"551\",\"status\":\"AUDIT_SUCCESS\",\"data\":\"Security\",\"systemname\":\"PC-XP\",\"decoder\":{\"name\":\"windows\"},\"hostname\":\"agent01\",\"agentip\":\"any\",\"timestamp\":\"2016 > > Jun 07 10:33:51\",\"location\":\"WinEvtLog\"} > > > Please, how can i do for add daskboard in kibana graphic interface > for the eventolog monitoring? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
