Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to to retrieve OSSEC's log alerts into Elasticsearch (ELK)?

Tags:

elastic-stack

ossec

I have tried this tutorial. But it didn't catch the OSSEC log (alerts, syslog, etc), it just give me this message for my Kibana apps.

Couldn't find any Elasticsearch data You'll need to index some data into Elasticsearch before you can create an index pattern.

I know that there is some tutorial like this. But it's required to use wazuh package and I dont want to use it, I just want to use the pure OSSEC. My OSSEC and ELK apps are located in the samw machine

My question is, How can I integrate OSSEC with ELK ? What configuration do i have to do first before starting connected OSSEC to ELK ?

like image 645
Gagantous Avatar asked Mar 14 '18 07:03

Gagantous

People also ask

How do you check elk logs?

Create a data view, to make your logs visible in Discover. In the deployment where your logs are stored, open Kibana. In the Analytics sidebar navigate to Discover. Select the data view you created, and you are ready to explore these logs in detail.

How do I view alerts in Kibana?

Head to the Alerts and Actions section inside the Kibana Management tab to see, search, and filter all of your alerts from a central location.

How do I check Elasticsearch logs?

To access logs, run docker logs . For Debian installations, Elasticsearch writes logs to /var/log/elasticsearch . For RPM installations, Elasticsearch writes logs to /var/log/elasticsearch .

1 Answers

You need to load the data template so that Elastisearch can understand the format of the alert data. You can use the one made by Wazuh, or you could download it and modify it to "make your own". If you go down this road you will eventually end up trying to re-write Wazuh, which you don't need to do because it is open source. You can just download all the source files and do whatever you want with them.

Command to load template:

curl https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-

Download Template:

https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json

-OR-

You could just spin up a Docker container that is ready to go:

https://github.com/wazuh/docker-ossec-elk

like image 165
HackSlash Avatar answered Sep 29 '22 21:09

HackSlash
Sign in to Comment

Related questions

elasticsearch es_rejected_execution_exception
com.mysql.jdbc.Driver not loaded. Are you sure you've included the correct jdbc driver in :jdbc_driver_library
Logstash not working with multiple files wildcard path
ELK process multiline logs from multiple docker images
Use filebeat or logstash to open gzip files
Elasticsearch - Want to sort by field in all indices where that particular field available or not if not then avoid it
Good setup on AWS for ELK
Is it a good idea to use serilog to write logs directly to the elasticsearch
Timelion split multiple times
Best Docker logging architecture using ELK stack
Feeding logstash from azure web app. How?
Confusions about the Elasticsearch json dsl query structure
How to set an Elasticsearch output template in Logstash
is Security free in Elastic search Stack Features?
Connect two instances of docker-compose
analyzed or not_analyzed, what to choose
Elasticsearch query not giving exact match

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!