ykrishnatuc
commented
8 months ago I did not find any proper solution for "agent performs detection and then sends its own log to server." In some articles, the agent performs both detection and log forwarding, while in other articles, the agent only forwards logs. This is confusing, but from my understanding, the agent typically only forwards logs to the server.
Here are some references for how an agent works:
- Incident RespIncident Response with Threat Intelligence: Practical insights into developing an incident response capability through intelligence-based threat hunting :By Roberto MartinezMartinez
- Proceedings of Eighth International Congress on Information and Communication Technology: ICICT 2023, London, Volume 2 edited by Xin-She Yang
- 2019_TFG_Gómez_IDS(pdf)
We are sending the logs to W for further analysis, hence
The agent helps to protect your system by providing threat prevention, detection, and response capabilities. It is also used to collect different types of system and application data that it forwards to the Wazuh server through an encrypted and authenticated channel. Hence,
[ ] Does the agent perform the detection and then send its own log to W? Or does it just send logs to W? (form windows/linux as well as Suricata)
[ ] If it sends where the logs are stored in W? How can we access those logs from the dashboard or from the disk itself (e.g. for backup purposes)
[ ] How W can automatically compress or manage the collected logs? pls share the related documents in this issue.
From detection perspective
[ ] how a malicious event is detected by W?
[x] How to configure or add an arbitrary signature to W?