Closed kulozzzz closed 6 years ago
Hi @kulozzzz ,
Let's check the installation steps,according to the instructions:
Download the wazuh-3.2.2-2.2.0.zip directly from the repository and unzip it to $SPLUNK_HOME/etc/apps/
Specify the TCP port you want the receiver to listen on (the listening port, also known as the receiving port). For example, if you enter "9997," the receiver listens for connections from forwarders on port 9997. You can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.
Add a new receiving configuration editing inputs.conf file, adding the following lines:
[splunktcp://9997]
connection_host = <forwarder ip>
1. Click Settings > Forwarding and receiving.
2. At Configure receiving, click Add new.
3. Set the chosen port
### _**In the forwarder machine - Wazuh Manager**_:
$SPLUNKFORWARDER_HOME/etc/system/local
. Edit the file inputs.conf:
[monitor:///var/ossec/logs/alerts/alerts.json]
disabled = 0
host = wazuhmanager
index = wazuh
sourcetype = wazuh
host = wazuhmanager
, hostname of Wazuh Manager.index = wazuh
, index by default to store alerts.sourcetype = wazuh
sourcetype by default to alerts received.Edit the file and add the following stanza on props.conf. If it doesn't exist, create it:
[wazuh]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
category = Application
disabled = false
pulldown_type = true
$SPLUNKFORWARDER_HOME/bin/splunk add forward-server <host name or ip address>:<listening port>
host name or IP address
IP address of Splunk Indexerlistening port
By default on port 9997
.Splunk username/password
are: admin/changeme
by default. If everything was OK, you only have to navigate to http://your-indexer-ip:splunk-port and click on the Wazuh app icon. You will be redirected to the API Configuration tab, in which you will have to set up the Wazuh API IP,port and credentials. After this, a green light might appear and the app should run properly. Please, let me know if you're still in trouble after doing the steps.
Regards, Manu
@manuasir hello I have already done all of the above configuration, but when I click on the application, it will still appear above the figure
@manuasir Is this related to my SPLUNK version? I use the 6.4.3 version of splunk
Hi @kulozzzz ,
Sorry for the late response, unfortunately Wazuh app for Splunk works with greater than v6.6.x version of Splunk Enterprise. I'd recommend you to upgrade to the last version v7.1.0 in order to get the last improvings and fixes, maybe this document or this other one could be interesting if you finally decide to upgrade. Also I will be happy to help you with the upgrading process if you need it. Thank you for your patience and please,do not hesitate to open a new issue in the future.
Regards, Manu
@manuasir I updated our SPLUNK and successfully run wazzu-app, thanks
Hi @kulozzzz ,
Nice to hear that. I'd like to thank you for report, the required version for the app will be included in our README. Please,don't hesitate to open a new issue if you need it and keep a close eye to the upcoming app release.
Regards, Manu
Hello: I downloaded the wazzu-3.2.2-2.2.0.zip directly and unzipped it to $SPLUNK_HOME/etc/app/. Edit the file inputs.conf:
Edit the file and add the following stanza on props.conf. If it doesn't exist, create it:
$SPLUNK_HOME/bin/splunk restart
After the restart is complete, go to WAZUH app prompt API configuration Remove credentials.Is there any other configuration I haven't done yet?