Desvelao
commented
1 year ago HI @maaneeel ,
I am not sure if you want to cribl data will be analyzed for Wazuh or only want this to be searchable through Elasticsearch or Kibana.
The ingested data by Wazuh into Elasticseach adds some useful data as a source of logs, regulatory compliance information, security level, and more. If you plan to use the Wazuh plugin for Kibana to explore this data, then you should send the cribl data to be analyzed by the Wazuh manager.
Ingest the data through Wazuh
If you want to explore through Wazuh plugin for Kibana the data coming from cribl, then you need the cribl logs to be analyzed by Wazuh.
You will need:
-
a way to collect the logs and send them to Wazuh manager to be analyzed. Depending on where these logs are stored or generated, you could use a Wazuh agent to collect these logs from a local file or sending through a remote syslog. See https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html.
-
if the logs have a format for which there is no specific Wazuh decoder, you will have to create a custom one.
There is a built-in JSON decoder that could manage the ndjson format logs. See https://documentation.wazuh.com/current/user-manual/ruleset/json-decoder.html For the CEF case, I am not sure if there is a built-in decoder, if not, then you could need to create a custom one. See https://documentation.wazuh.com/current/user-manual/ruleset/custom.html https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
-
create custom rules which match a specific situation that you want to be alerted by Wazuh. This means the logs that match a rule, trigger a Wazuh alert. You can create general rules that match all the cribl logs or some special rules that match specific situations reported by the cribl logs. The generated Wazuh alerts will be indexed in Elasticsearch and they will be searchable from the Wazuh plugin for Kibana. See https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
:information_source: By default, only the alerts whose rule level is greater than 3 will generate an alert. Remember the generated alert will be sent to Elasticsearch through Filebeat. It is important if you design custom Wazuh rules and want to generate Wazuh alerts. See https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html#log-alert-level
Hello,
First of all, sorry if it's not the place to ask about it.
I would like to start using wazuh with elasticsearch database at the same time than other SIEM, to receive logs on both environments, I'm planning to distribute a copy of the events from cribl to both environments, mention that these logs are a mix of CEF and JSON.
Then, in cribl I'm able to forward events directly to elasticsearch because it is one of the output options that cribl offers.
It is possible to do it and search for this events from wazuh? or should it be transformed and indexed by wazuh to be searchable by wazuh?
Thanks