Configuring wazuh agent to send data to multiple servers

cesq

I wanted to try out SIEM capabilities of EnergyLogserver and for that I need wazuh_agent to gather data from hosts. The problem is that I already have a Wazuh solution implemented in my environment which is critical.
Every machine is sending data to my Wazuh instance and I want wazuh_agent to send data to both servers at once.
I haven't been able to figure out how to accomplish that, I've looked at Wazuh's docs and ELS docs which weren't helpful.
The only resource available on this topic is this github issue from 2021 which isn't helpful in my case: https://github.com/wazuh/wazuh/issues/10902.

So is there any workaround? Is it even possible to send data from wazuh_agent to Wazuh and EnergyLogserver at the same time?

SzymonC

Hi,

Generally it depends on the version of Wazuh deployment. Built-in integration is done with Wazuh 4.7, but that doesn't necessarily means we cannot gather data from deployments with higher versions.

Main stream of data from Wazuh comes from monitoring Wazuh alerts file, which you can locate at /var/ossec/logs/alerts/alerts.json. Verify if your Wazuh creates that file with all the detections and if yes, I'm sure we can work something out.

cesq

SzymonC My Wazuh is configured in such a way that it generates a lot of separate alert files. Divided for each year and month.
So the path for today's most recent alerts is /var/ossec/logs/alerts/2024/Oct/ossec-alerts-08-008.log.
It looks like this:

SzymonC

That shouldn't be a problem, really. Our default integration looks like this:

input {
	file {
		type => "wazuh-alerts"
		path => "/var/ossec/logs/alerts/alerts.json"
		codec => "json"
	}
}

So parser on localhost with Wazuh is monitoring the files. In your case, if Wazuh is writing to multiple files at once and then rotating them, that would look something like this:

input {
	file {
		type => "wazuh-alerts"
		path => "/var/ossec/logs/alerts/*/*/*.json"
		codec => "json"
	}
}

Not 100% if it would work as copy and paste, but if you like, we can run some test and see what will come out of this.

cesq

SzymonC So what it is exactly that I should do here?

SzymonC

Well, we have two options. If you feel somewhat comfortable with Energy Logserver, I can guide you here what to do, step by step. Or, if you prefer, we can schedule a MS Teams session and I or one of our engineers will explain how to move forward with this.
My address is szymon.cwieka at energylogserver.com

cesq

SzymonC I think I should be able to do what’s needed via step by step instructions, in case of any issues then we can schedule a session. Furthermore if someone has this issue in the future, they will have all the necessary info here.

SzymonC

Alright, good idea. Soon I'll post some instructions here, please be patient. 🙂

SzymonC

Okay, here we go. For this I assume that Wazuh file is available in the same server as the Network Probe.

First, we jump to Network Probe module:
We deploy pipeline to selected probe. Depending on how many Probes you have, you'll have that many options. By default, there should be at least one. After it's deployed you can click on the green box to go into that specific Network Probe. This is important to remember - if you have more than one Probe, remember to verify in which probe you are currently in.

In my deployment custom pipeline isn't working, because there are no files.

To fix this i quickly jump to my linux console, and create simple file by using following:

vim /etc/logstash/conf.d/custom/custom.conf
chown logstash: /etc/conf.d/custom/custom.conf

In the content of the file I've added:

input {}
filter {}
output {}

After that manual change I have to Re-register files. Using button Probe is scanning it's filesystem and shows new files. This might take a minute or two.

After file is registered and is visible in the UI, I can edit it with proper configuration:

input {
	file {
		type => "wazuh-alerts"
		path => "/var/ossec/logs/alerts/*/*/*.json"
		codec => "json"
	}
}
filter {}
output {
                logserver {
                        hosts => ["https://<ELS_IP>:9200"]
                        index => "wazuh-alerts-new"
                        ssl => true
                        ssl_certificate_verification => false
                        user => "${LOGSTASH_USER}"
                        password => "${LOGSTASH_PASS}"
                }
}

Once I'm done I click on the Reload button to make Probe load all the changes I've done to pipelines.

If everything went smooth, new events should be flowing to index wazuh-alerts-new. Now, this might take a moment, depending on how often new entries are being added to the wazuh file.
But this is still a start, as we missed whole filtering section. Our goal for this was to make sure data is going to the Logserver. Once we have it, later we can enhance it and refine it.

In the statistics of the Pipeline you can actually see if pipeline is ingesting and processing something.

Let me know if it worked and if I can help you with anything else. 🙂

cesq

SzymonC Thanks for the instructions, but my Wazuh and ELS istances are two separate machines, so the Wazuh file is sadly not available on the same server as ELS.

SzymonC

Hmm... Can you install new service there? Logstash to be precise. If so, we could move this whole parsing to the another Logstash instance.