Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

securityonion-elastic: update Logstash config to support Wazuh 3.8 agent #1469

Closed
dougburks opened this issue Mar 1, 2019 · 6 comments

Comments

Projects
3 participants
@dougburks
Copy link
Contributor

commented Mar 1, 2019

From Kevin Branch:

Starting with 3.8, the way Windows Wazuh agents collect Windows event logs is much different if using the eventchannel rather than the eventlog format on the agent.  That makes a huge difference in what alerts.json and archives.json will look like for Windows eventchannel inputs.

https://groups.google.com/d/topic/security-onion/t0rlullvD3c/discussion

Looks like this affects, at minimum, Security logs and Sysmon logs.

We'll need to update, at minimum, 6500_ossec.conf and 6501_ossec_sysmon.conf to support the new format.

Also see:
https://groups.google.com/d/topic/security-onion/UtdiicGvCkw/discussion

@dougburks dougburks added this to To do in 16.04.6.1 via automation Mar 1, 2019

@branchnetconsulting

This comment has been minimized.

Copy link

commented Mar 2, 2019

Windows Wazuh agent 3.8.2 defaults to collecting only Windows logs Application, Security, and System. Of those three only Security is by default collected via the new eventchannel log format, while the legacy eventlog format is still by default used for the other two. As I understand, this difference is only due to Wazuh needing to catch the rest of their ruleset up to this change. Any logs, including non-default ones like Sysmon, collected by Wazuh 3.8+ via the eventchannel format will now be passed along with richly decoded fields that are named much differently than the limited fields formerly extracted from Windows logs. I rather expect Wazuh will soon make eventchannel the default for all Windows logs period.

@dougburks dougburks moved this from To do to In progress in 16.04.6.1 Mar 11, 2019

@dougburks

This comment has been minimized.

Copy link
Contributor Author

commented May 3, 2019

@dougburks dougburks moved this from In progress to In Testing in 16.04.6.1 May 3, 2019

@dougburks

This comment has been minimized.

@dougburks

This comment has been minimized.

@dougburks dougburks closed this May 13, 2019

16.04.6.1 automation moved this from In Testing to Done May 13, 2019

@branchnetconsulting

This comment has been minimized.

Copy link

commented May 13, 2019

For your reference, starting with Wazuh 3.9.0 the default Windows agent configuration now uses the eventchannel log format with the associated JSON transmission for all of the legacy Windows event logs and there really is no reason I am aware of at this point to use any other log format for any Windows event logs, legacy or otherwise.

@dougburks

This comment has been minimized.

Copy link
Contributor Author

commented May 13, 2019

Thanks @branchnetconsulting!

I've created the following issues for tracking:

#1521

#1522

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.