Skip to content

WrongProvider/wazuh_decoders

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

README.md

README.md

 
 

kaspersky_decoder.xml

kaspersky_decoder.xml

 
 

kaspersky_rules.xml

kaspersky_rules.xml

 
 

ossec.conf

ossec.conf

 
 

rsyslog.conf

rsyslog.conf

 
 

Repository files navigation

Wazuh Decoders for Kaspersky (syslog)

wazuh configurations that works

🚧 Project in development 🚧

Wazuh Kasperky Security Center integration

We are going to export all malware events that kasperky generates to a Syslog server that runs Wazuh Agent.

working with Syslog RFC5424

Why? - because you can export in this format even if you don't have the superior license for Endpoint Protection

The way to the clouds:

Using a syslog (rsyslog) to write log files from KSC and the Wazuh Agent sending then to Wazuh

image

Because Kasperky syslog is way too indistinguishable, the only way that a I got to work out was to create a template in Rsyslog:

In Rsyslog server:

  1. modify the /etc/rsyslog.conf
  2. create a logrotate in /etc/logrotate.d/rsyslog, to maintain space
  3. systemctl restart rsyslog.service

In wazuh agent:

  1. modify the /var/ossec/etc/ossec.conf, to make the agent read the syslog archive
  2. systemctl restart wazuh-agent

In Wazuh server:

  1. create the decoder
  2. create the rules
  3. systemctl restart wazuh-manager

The files in this repo contains an explanation for each one of them.

image

About

wazuh configurations that works

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published