Hello again,
Modified the ossec.conf to level 1
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>yes</email_notification>
<smtp_server>mail.domain.com</smtp_server>
<email_from>[email protected]</email_from>
<email_to>[email protected]</email_to>
<email_maxperhour>12</email_maxperhour>
</global>
<alerts>
* <log_alert_level>1</log_alert_level>*
<email_alert_level>12</email_alert_level>
</alerts>
But still don't see the sonicwall logs on the alerts.json
( I see them on archives.json )
Thank you
Mikeli
On Thursday, May 24, 2018 at 12:58:59 PM UTC+2, Juanjo Jiménez wrote:
>
> Hello again Mikel,
>
> If you receive Sonicwall events on the archives.log file, then you should
> see them on the alerts.json file, BUT only if they are from *at least
> level 3* or higher.
>
> This setting can be found inside the <alerts> tag on your ossec.conf file:
> <alerts>
> <log_alert_level>3</log_alert_level>
> <email_alert_level>12</email_alert_level>
> </alerts>
>
> By default, the value is 3, but you can change it to 1, so you'll see all
> the Sonicwall alerts starting from level 1. Keep in mind that, according to
> the Sonicwall rules from our Ruleset repository
> <https://github.com/wazuh/wazuh-ruleset/blob/v3.2.2/rules/0080-sonicwall_rules.xml>,
>
> some of them are level 0, and those rules will never trigger alerts on the
> alerts.json file.
>
> Try changing the <log_alert_level> to 1 and then, restart the manager:
> systemctl restart wazuh-manager
>
> Let me know if now you can see Sonicwall alerts on the alerts.json file.
> If so, then they will appear on the Kibana app, just like I mentioned you
> in my previous message.
>
> If you still have questions, please let me know.
>
> Regards,
> Juanjo
>
> El jueves, 24 de mayo de 2018, 11:53:42 (UTC+2), Mikel Sheshi escribió:
>>
>> Hello Juanjo,
>> Thank you for the reply
>> The problem is that I can see the logs of the Sonicwall on the directory
>> /var/ossec/logs/archives
>> But I don't see them on /var/ossec/logs/alerts
>>
>> I receive the logs on Archives folder , but I don't receive any alert
>> about them on alerts.json
>> The question is : How to move the Sonicwall syslogs to the Alerts.json
>> file ?
>>
>> Thanks
>> Mikeli
>>
>> On Wednesday, May 23, 2018 at 5:53:11 PM UTC+2, Juanjo Jiménez wrote:
>>>
>>> Hello Mikel,
>>>
>>> If you're getting Sonicwall alerts on the alerts.json file, you can see
>>> them in Kibana. Currently, we don't have a specific tab for Sonicwall
>>> alerts, but you can go to the *Overview* tab, and you'll see a search
>>> bar (circled in red) where you can type the following:
>>> rule.groups: sonicwall
>>>
>>> And press enter. This will filter the alerts by this group. You can also
>>> open the *Discover* view (circled in red) to see the alerts in a
>>> list-view mode, just like on Kibana's Discover tab on the left sidebar.
>>>
>>>
>>> <https://lh3.googleusercontent.com/-jtRSbeXeqps/WwWKq39XVsI/AAAAAAAAAIk/jP_IS45b-M4SfDp5et5GvCagt6mw7UMrgCLcBGAs/s1600/searchbar.PNG>
>>>
>>> Let me know if this works for you.
>>>
>>> Regards,
>>> Juanjo
>>>
>>> El miércoles, 23 de mayo de 2018, 15:21:57 (UTC+2), Mikel Sheshi
>>> escribió:
>>>>
>>>> Hello ,
>>>> Is there any way to send sonicwall soslogs on Kibana dashboard (Wazuh
>>>> server)
>>>> I have set the logall option to "Yes" on ossec.conf
>>>> <jsonout_output>yes</jsonout_output>
>>>> <alerts_log>yes</alerts_log>
>>>> <logall>yes</logall>
>>>> I receive the logs on the /var/ossec/logs/archives
>>>>
>>>> But I want to see the alerts on Kibana dashboard gui
>>>>
>>>>
>>>> - The file /var/ossec/logs/archives/archives.json contains all
>>>> events whether they tripped a rule or not.
>>>> - The file */var/ossec/logs/alerts/alerts.json* contains only
>>>> events that tripped a rule.
>>>>
>>>> I want to see the sonicwall syslogs on alerts.json on Kibana in the
>>>> same way that I see the wazuh agent logs
>>>>
>>>> Thanks
>>>> Mikeli
>>>>
>>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
