wazuh / wazuh-splunk

Wazuh - Splunk App
https://wazuh.com
GNU General Public License v2.0
50 stars 27 forks source link

API configuration Remove credentials #47

Closed kulozzzz closed 6 years ago

kulozzzz commented 6 years ago

Hello: I downloaded the wazzu-3.2.2-2.2.0.zip directly and unzipped it to $SPLUNK_HOME/etc/app/. Edit the file inputs.conf:

[monitor:///var/ossec/logs/alerts/alerts.json]
disabled = 0
host = wazuhmanager
index = wazuh
sourcetype = wazuh

Edit the file and add the following stanza on props.conf. If it doesn't exist, create it:


[wazuh]
DATETIME_CONFIG = 
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
category = Application
disabled = false
pulldown_type = true

$SPLUNK_HOME/bin/splunk restart

After the restart is complete, go to WAZUH app prompt API configuration Remove credentials.Is there any other configuration I haven't done yet? image

manuasir commented 6 years ago

Hi @kulozzzz ,

Let's check the installation steps,according to the instructions:

Indexer/ Search head:

Download the wazuh-3.2.2-2.2.0.zip directly from the repository and unzip it to $SPLUNK_HOME/etc/apps/

Setup Receiving

  1. Specify the TCP port you want the receiver to listen on (the listening port, also known as the receiving port). For example, if you enter "9997," the receiver listens for connections from forwarders on port 9997. You can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.

    CLI mode:

    Add a new receiving configuration editing inputs.conf file, adding the following lines:

    [splunktcp://9997]
    connection_host = <forwarder ip>
    Web GUI
    
    1. Click Settings > Forwarding and receiving.
    2. At Configure receiving, click Add new.
    3. Set the chosen port
    ###  _**In the forwarder machine - Wazuh Manager**_: 
  2. You must install Splunk Forwarder on your Wazuh Manager.
  3. Go to $SPLUNKFORWARDER_HOME/etc/system/local.
  4. Edit the file inputs.conf:

    [monitor:///var/ossec/logs/alerts/alerts.json]
    disabled = 0
    host = wazuhmanager
    index = wazuh
    sourcetype = wazuh
    • host = wazuhmanager, hostname of Wazuh Manager.
    • index = wazuh, index by default to store alerts.
    • sourcetype = wazuh sourcetype by default to alerts received.
  5. Edit the file and add the following stanza on props.conf. If it doesn't exist, create it:

    [wazuh]
    DATETIME_CONFIG = 
    INDEXED_EXTRACTIONS = json
    KV_MODE = none
    NO_BINARY_CHECK = true
    category = Application
    disabled = false
    pulldown_type = true
  6. Point the output to the Wazuh's Indexer (or indexers):
    $SPLUNKFORWARDER_HOME/bin/splunk add forward-server <host name or ip address>:<listening port>
    • host name or IP address IP address of Splunk Indexer
    • listening port By default on port 9997.
    • Remember that Splunk username/password are: admin/changeme by default.

If everything was OK, you only have to navigate to http://your-indexer-ip:splunk-port and click on the Wazuh app icon. You will be redirected to the API Configuration tab, in which you will have to set up the Wazuh API IP,port and credentials. After this, a green light might appear and the app should run properly. Please, let me know if you're still in trouble after doing the steps.

Regards, Manu

kulozzzz commented 6 years ago

@manuasir hello I have already done all of the above configuration, but when I click on the application, it will still appear above the figure image

kulozzzz commented 6 years ago

@manuasir Is this related to my SPLUNK version? I use the 6.4.3 version of splunk

manuasir commented 6 years ago

Hi @kulozzzz ,

Sorry for the late response, unfortunately Wazuh app for Splunk works with greater than v6.6.x version of Splunk Enterprise. I'd recommend you to upgrade to the last version v7.1.0 in order to get the last improvings and fixes, maybe this document or this other one could be interesting if you finally decide to upgrade. Also I will be happy to help you with the upgrading process if you need it. Thank you for your patience and please,do not hesitate to open a new issue in the future.

Regards, Manu

kulozzzz commented 6 years ago

@manuasir I updated our SPLUNK and successfully run wazzu-app, thanks

manuasir commented 6 years ago

Hi @kulozzzz ,

Nice to hear that. I'd like to thank you for report, the required version for the app will be included in our README. Please,don't hesitate to open a new issue if you need it and keep a close eye to the upcoming app release.

Regards, Manu