Read logs from Wazuh

[karl20012023]

Does anyone had try setup Evebox to read logs from Wazuh? My configuration is that I have 1 Wazuh server and 1 Suricata server installed wazuh agent. Wazuh displaying logs from Suricata currently. I'd try to install Evebox in wazuh server but haven't succeeded to get it running. I have try to config evebox.yaml using elasticsearch and filebeat with no luck.

root@wazuh:~# evebox server -e http://localhost:9200 --ecs --index filebeat
2023-12-13 10:03:21 INFO evebox::version: This is EveBox version 0.17.2 (rev: 536be8d); x86_64-unknown-linux-musl
2023-12-13 10:03:21 WARN evebox::elastic::client: Failed to get Elasticsearch version from http://localhost:9200, will try again: Reqwest(reqwest::Error { kind: Request, url: Url { scheme: "http", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("localhost")), port: Some(9200), path: "//", query: None, fragment: None }, source: hyper::Error(IncompleteMessage) })

My evebox.yaml config

This is a minimal evebox.yaml for Elasticsearch and SQLite.

http:

By default, EveBox binds to localhost. Uncomment this line to open

it up.

#host: "0.0.0.0"

database:
type: elasticsearch

elasticsearch:
url: http://127.0.0.1:9200

## If using the Filebeat Suricata module, you'll probably want to
## change the index to "filebeat".
index: filebeat

# If using the Filebeat Suricata module this needs to be true.
ecs: true

## If your Elasticsearch is using a self-signed certificate,
## you'll likely need to set this to true.
#disable-certificate-check: true

## If your Elasticsearch requires a username and password, provide
## them here.
#username: admin
#password: eScYTShaV6BZIIgHvNaAycMmR?8l*VOP

retention:
# Only keep events for the past 7 days.
# - SQLite only
# - Default 7 days
# - Set to 0 to disable
#days: 7

# Maximum database size.
# - SQLite only
# - No default
#size: "20 GB"

The server can process events itself when using SQLite or a classic

Logstash style Elasticsearch template.

input:
enabled: false

Suricata EVE file patterns to look for and read.

paths:
- "/var/log/suricata/eve.json"
- "/var/log/suricata/eve.*.json"

[jasonish]

It looks like TLS might be enabled on Elasticsearch, you can do some quick tests with curl to find out:

curl -v http://localhost:9200

curl -v https://localhost:9200

If successful you'll see something like:

{
  "name" : "75e5a805aa89",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "q-z6vzuHRE6fEb-ycOf3GQ",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.11.1",
    "build_type" : "tar",
    "build_hash" : "6b1986e964d440be9137eba1413015c31c5a7752",
    "build_date" : "2023-11-29T21:43:10.135035992Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
}

But note that Wazuh very likely has its own schema that EveBox does not understand.

[karl20012023]

Hi @jasonish . Thanks for the reply. Yes it looks like TLS enabled. So in this situation what should I do to make Evebox connect and read logs in Wazuh? And if after connecting Evebox turns out not compatible with Wazuh, should I just install Exebox directly on Suricata server?

Thanks.

root@wazuh:~# curl -v http://localhost:9200

• Trying 127.0.0.1:9200...
• Connected to localhost (127.0.0.1) port 9200 (#0)

GET / HTTP/1.1
Host: localhost:9200
User-Agent: curl/7.81.0
Accept: /

• Empty reply from server
• Closing connection 0
  curl: (52) Empty reply from server

root@wazuh:~# curl -v https://localhost:9200

• Trying 127.0.0.1:9200...
• Connected to localhost (127.0.0.1) port 9200 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs
• TLSv1.0 (OUT), TLS header, Certificate Status (22):
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS header, Certificate Status (22):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (OUT), TLS header, Unknown (21):
• TLSv1.2 (OUT), TLS alert, unknown CA (560):
• SSL certificate problem: unable to get local issuer certificate
• Closing connection 0
  curl: (60) SSL certificate problem: unable to get local issuer certificate
  More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[jasonish]

curl -k -v https://localhost:9200/ should work then for the self signed certificate.

The equivalent command for EveBox would be something like:

evebox server -e https://localhost:9200 -k

But from a little research, Wazuh uses its own schema, so even if you can connect EveBox, it probably won't be of much use.

[jasonish]

Thanks for the reply. Yes it looks like TLS enabled. So in this situation what should I do to make Evebox connect and read logs in Wazuh? And if after connecting Evebox turns out not compatible with Wazuh, should I just install Exebox directly on Suricata server?

Sorry, I missed this bit.

You do have a few options. Simplest would be to run EveBox using SQLite directly on the Suricata server. I do recommend using the latest development build tho, https://evebox.org/files/development/ -- these are going to be tagged 0.18.0 anytime soon, perhaps with some very minor changes.

The something like:

evebox server --database sqlite --host 0.0.0.0 /var/log/suricata/eve.json

Or if you do want to leverage that Elasticsearch on the Wazuh server you could try something like (on the Suricata machine):

evebox server -k -e https://your-wazuh-ip:9200 -i evebox /var/log/suricata/eve.json

that will depend on the Wazuh elastic being accessible from a remote host.

Otherwise you start to get into client/server models, running the EveBox server on one machine, and the agent on your Suricata machines.

[karl20012023]

I have installed Evebox in Suricata machine but can't open http://[evebox.ip]:5636.

root@siem-suricata:/var/lib/evebox# evebox version
EveBox Version 0.18.0-dev (rev e4ce24c); x86_64-unknown-linux-musl

root@siem-suricata:/var/lib/evebox# evebox print
thread 'main' panicked at src/commands/print.rs:21:13:
internal error: entered unreachable code
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace

root@siem-suricata:/var/lib/evebox# netstat -pantul
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 778/systemd-resolve
tcp 0 0 127.0.0.1:5636 0.0.0.0:* LISTEN 2995/evebox
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 862/sshd: /usr/sbin
tcp 0 0 10.141.1.244:36044 10.141.1.243:1514 ESTABLISHED 924/wazuh-agentd

[jasonish]

evebox print is one of those commands that needs finishing. Whats your full command line to start the server? It looks like its bound to localhost. So you'll need something like --host 0.0.0.0 or replace that with the IP address of the management interface on the machine.

[karl20012023]

I got this error when using evebox server --database sqlite --host 0.0.0.0 /var/log/suricata/eve.json

root@siem-suricata:~# evebox server --database sqlite --host 0.0.0.0 /var/log/suricata/eve.json
2023-12-15 04:46:53 INFO evebox::version: This is EveBox version 0.18.0-dev (rev: e4ce24c); x86_64-unknown-linux-musl
2023-12-15 04:46:53 WARN evebox::server::main: No data-directory provided, will use /root/.config/evebox
2023-12-15 04:46:53 INFO evebox::sqlite::connection: Auto-vacuum: 1
2023-12-15 04:46:53 INFO log: current version: 4
2023-12-15 04:46:53 INFO log: no migrations to apply
2023-12-15 04:46:53 INFO evebox::sqlite::connection: Updating SQLite indexes
2023-12-15 04:46:53 INFO evebox::server::main: FTS enabled: true
2023-12-15 04:46:53 INFO evebox::sqlite::retention: Database retention settings: days=7, size=0
2023-12-15 04:46:53 INFO evebox::server::main: Configuration database filename: "/root/.config/evebox/config.sqlite"
2023-12-15 04:46:53 INFO log: current version: 1
2023-12-15 04:46:53 INFO log: no migrations to apply
2023-12-15 04:46:53 WARN evebox::server::main: Failed to open GeoIP database: error=No database file found
2023-12-15 04:46:53 INFO evebox::server::main: Starting server on 0.0.0.0:5636, tls=true
2023-12-15 04:46:53 INFO evebox::server::main: Using directory /root/.config/evebox for self signed TLS certificate and key files
2023-12-15 04:46:53 INFO evebox::cert: Found existing TLS certificate and key: /root/.config/evebox/cert.pem, /root/.config/evebox/key.pem
2023-12-15 04:46:53 INFO evebox::eve::watcher: Found EVE input file /var/log/suricata/eve.json
2023-12-15 04:46:53 INFO evebox::eve::watcher: Starting EVE processor for /var/log/suricata/eve.json
2023-12-15 04:46:53 INFO evebox::eve::processor: Invalid bookmark found: inode mismatch
2023-12-15 04:46:53 ERROR evebox::server::main: Failed to start TLS HTTP service: Address in use (os error 98)
2023-12-15 04:47:56 INFO evebox::sqlite::retention: Events purged in last 60s: 0

Then I tried using evebox server -D /var/log/suricata/eve.json --sqlite --host 0.0.0.0

root@siem-suricata:~# evebox server -D /var/log/suricata/eve.json --sqlite --host 0.0.0.0
2023-12-15 04:50:07 INFO evebox::version: This is EveBox version 0.18.0-dev (rev: e4ce24c); x86_64-unknown-linux-musl
thread 'main' panicked at /home/jason/projects/evebox/main/src/server/main.rs:557:64:
called Result::unwrap() on an Err value: SqliteFailure(Error { code: CannotOpen, extended_code: 14 }, Some("unable to open database file: /var/log/suricata/eve.json/events.sqlite"))
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace

[jasonish]

You either have another EveBox process already running and listening on port 5636. Or you have another process running on port 5636. If its another EveBox process, kill it. If its another program completely, choose another port with --port XXXX.