Open Mehrdad-hajizadeh opened 9 months ago
I did not find any proper solution for "agent performs detection and then sends its own log to server." In some articles, the agent performs both detection and log forwarding, while in other articles, the agent only forwards logs. This is confusing, but from my understanding, the agent typically only forwards logs to the server.
We are sending the logs to W for further analysis, hence
The agent helps to protect your system by providing threat prevention, detection, and response capabilities. It is also used to collect different types of system and application data that it forwards to the Wazuh server through an encrypted and authenticated channel. Hence,
[ ] Does the agent perform the detection and then send its own log to W? Or does it just send logs to W? (form windows/linux as well as Suricata)
[ ] If it sends where the logs are stored in W? How can we access those logs from the dashboard or from the disk itself (e.g. for backup purposes)
[ ] How W can automatically compress or manage the collected logs? pls share the related documents in this issue.
From detection perspective
[ ] how a malicious event is detected by W?
[x] How to configure or add an arbitrary signature to W?