SIEM module

Bakotech

Hi everybody. When installing dedicated nodes on a remote server. Do I need to install only logstash? or do I still need to install SIEM components? How do I normally use wazuh agents behind a dedicated server?

Bakotech

Another question is how to set up a dedicate, so that logs are stored on it, and only logs for certain events are sent to the central one?

MariuszL

Hello,

I'm not sure I understand you correctly, but if you want install dedicated data node you should use install.sh script and choose "data-node" dependencies option:

https://kb.energylogserver.com/en/latest/01-Installation/01-Installation.html

If we talking about SIEM components, they should be installed on the client node.

If you want to install the wazuh agent, the most important thing is that the configuration file should include the ip address of the wazuh manager and the appropriate protocol, something like below:
./wazuh-agent.msi /q WAZUH_MANAGER='127.0.0.1' WAZUH_REGISTRATION_SERVER='127.0.0.1' WAZUH_MANAGER_PORT='1514' WAZUH_PROTOCOL='tcp'

Regarding the last question "Another question is how to set up a dedicate, so that logs are stored on it, and only logs for certain events are sent to the central one?" Could you describe the architecture of the system you mention?

Bakotech

Does it turn out that only logstash needs to be installed on a dedicated node?
Does Wazuh-manager need to be installed on a dedicated node?

SzymonC

Let me just jump in and clarify 🙂

Dedicated data node has the functions for filtering and parsing data, so we have full access to filter out or drop portion of the data before sending it to database. Parser is very flexible on that regard.

For storing data and securing them locally on dedicated node it is always best idea to use database. Energy Logserver database is most flexible and the best approach to secure data on dedicated node.
Because of parser flexibility we do have other options, like storing data in temporary file, but database is still best option.

And finally for SIEM components - if possible it a good idea to install correlation engine on dedicated node, but it is not a strict requirement. SIEM agent can send data to parser through syslog and then parser will deliver that data to remote correlation engine. This mainly depends on the surrounding conditions, like: network stability, performance of dedicated data node, data storage and so on.

Hope it helps. If you have any further questions - ask away 😉