search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
10.92k stars 1.66k forks source link

Events Not Being Indexed or Triggering Rules #18529

Open mgarofano80 opened 1 year ago

mgarofano80 commented 1 year ago

We have noticed persistent issues with Wazuh's integration feature since updating to the latest release. Here's a concise summary of our observations:

  1. Event Registration: For many integrations that are meant to send back enriched events to the Wazuh manager, the events are stored in archives.json (when logall is enabled) but aren't indexed as Wazuh events, which results in them not triggering any rules.

  2. Affected Integrations: This issue isn't restricted to custom integrations. While we initially observed it with our custom integrations like MISP and AbuseIPDB, the native Office365 integration, which was functional before, now only sends events to archives.json without forwarding them to the manager. For instance, using the Office 365 button filter on the main dashboard or filtering events related to Office365 rules and its rule group shows no results.

  3. Logging vs. Forwarding: For integrations like AbuseIPDB that send out events (e.g., through the “report” API), everything functions as expected. However, when integrations are set to retrieve and add data to alerts, though they get logged (for example, in ossec.log), they aren't sent to the manager.

  4. Configuration Check: We've verified that this isn't related to decoders or rules since they remained unchanged. The issue with the Office 365 integration emphasizes this, as it's an in-built feature that utilizes the JSON decoder with inherent rules within Wazuh. To rule out configuration errors, we even set up a new Wazuh instance from scratch, but the integration issue persists.

Please find attached a few logs:

https://pastebin.com/YzQuySLb

We hope this report helps identify the root cause. Looking forward to a resolution.

mgarofano80 commented 1 year ago

I’ve also found this thread (apparently still unanswered) where a user also had the same issue with Office 365 stopping generating events in the Manager but they were still to be found in archives.json, while my issue also includes any other integration that is meant to enrich alerts and should trigger rules thereafter : https://groups.google.com/g/wazuh/c/9fg0tR5apIc/m/YNkbcsatCAAJ

Kelvinloucosta commented 1 month ago

I have the same problem, it receives the test log as “sshd: Authentication succeeded from a public IP address 64.62.197.132.” and sshd: Authentication failed from a public IP address 212.192.241.132., but it does not call abuseipdb

image image