Hello again Mikel,
If you receive Sonicwall events on the archives.log file, then you should
see them on the alerts.json file, BUT only if they are from *at least level
3* or higher.
This setting can be found inside the <alerts> tag on your ossec.conf file:
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
By default, the value is 3, but you can change it to 1, so you'll see all
the Sonicwall alerts starting from level 1. Keep in mind that, according to
the Sonicwall rules from our Ruleset repository
<https://github.com/wazuh/wazuh-ruleset/blob/v3.2.2/rules/0080-sonicwall_rules.xml>,
some of them are level 0, and those rules will never trigger alerts on the
alerts.json file.
Try changing the <log_alert_level> to 1 and then, restart the manager:
systemctl restart wazuh-manager
Let me know if now you can see Sonicwall alerts on the alerts.json file. If
so, then they will appear on the Kibana app, just like I mentioned you in
my previous message.
If you still have questions, please let me know.
Regards,
Juanjo
El jueves, 24 de mayo de 2018, 11:53:42 (UTC+2), Mikel Sheshi escribió:
>
> Hello Juanjo,
> Thank you for the reply
> The problem is that I can see the logs of the Sonicwall on the directory
> /var/ossec/logs/archives
> But I don't see them on /var/ossec/logs/alerts
>
> I receive the logs on Archives folder , but I don't receive any alert
> about them on alerts.json
> The question is : How to move the Sonicwall syslogs to the Alerts.json
> file ?
>
> Thanks
> Mikeli
>
> On Wednesday, May 23, 2018 at 5:53:11 PM UTC+2, Juanjo Jiménez wrote:
>>
>> Hello Mikel,
>>
>> If you're getting Sonicwall alerts on the alerts.json file, you can see
>> them in Kibana. Currently, we don't have a specific tab for Sonicwall
>> alerts, but you can go to the *Overview* tab, and you'll see a search
>> bar (circled in red) where you can type the following:
>> rule.groups: sonicwall
>>
>> And press enter. This will filter the alerts by this group. You can also
>> open the *Discover* view (circled in red) to see the alerts in a
>> list-view mode, just like on Kibana's Discover tab on the left sidebar.
>>
>>
>> <https://lh3.googleusercontent.com/-jtRSbeXeqps/WwWKq39XVsI/AAAAAAAAAIk/jP_IS45b-M4SfDp5et5GvCagt6mw7UMrgCLcBGAs/s1600/searchbar.PNG>
>>
>> Let me know if this works for you.
>>
>> Regards,
>> Juanjo
>>
>> El miércoles, 23 de mayo de 2018, 15:21:57 (UTC+2), Mikel Sheshi escribió:
>>>
>>> Hello ,
>>> Is there any way to send sonicwall soslogs on Kibana dashboard (Wazuh
>>> server)
>>> I have set the logall option to "Yes" on ossec.conf
>>> <jsonout_output>yes</jsonout_output>
>>> <alerts_log>yes</alerts_log>
>>> <logall>yes</logall>
>>> I receive the logs on the /var/ossec/logs/archives
>>>
>>> But I want to see the alerts on Kibana dashboard gui
>>>
>>>
>>> - The file /var/ossec/logs/archives/archives.json contains all
>>> events whether they tripped a rule or not.
>>> - The file */var/ossec/logs/alerts/alerts.json* contains only events
>>> that tripped a rule.
>>>
>>> I want to see the sonicwall syslogs on alerts.json on Kibana in the
>>> same way that I see the wazuh agent logs
>>>
>>> Thanks
>>> Mikeli
>>>
>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
