Hello

I think that we could add others OS to the sentence:

The agents can be used to monitor physical servers, virtual machines and cloud instances (e.g. Amazon AWS, Azure or Google Cloud). Pre-compiled agent installation packages are available for Linux, AIX, Solaris, Windows, and Darwin (Mac OS X).

so we could add: HP-UX, AIX.
Thanks!

Just like we have packages list for the Wazuh manager, API and agent components, and a WPK list, we need to add packages list for the two apps for Wazuh (Kibana and Splunk).

Regards,
Juanjo

There are two problems I encountered when I followed the section running-api-as-service in ossec_api_installation.

• sudo /var/ossec/api/scripts/install_daemon.sh will not work.

The error message is: sed: can't read wazuh-api: No such file or directory
The below is work.

cd /var/ossec/api/scripts
./install_daemon.sh

• The function status in wazuh-api is empty...

Add new option to the reference section as well as the necessary documentation about the new crypto method supported.

<client>
    ...
    <crypto_method>aes|blowfish</crypto_method>

Referring to #PR 23

Quoting @avinash-gudagi

I was using your script to get aws logs of cloudtrails from a bucket and then use OSSEC to monitor these trails. I noticed that the s3 bucket also contained logs about cloudtail-digest. The getawslog.py script throws a exception. Just sending a pull request to mention this in a note.

./getawslog.py -b cloudtrails-ossec -d -j -D -l /home/ubuntu/cloudtrail-logs/amazon.log
+++ Debug mode on
+++ Connecting to Amazon S3
+++ Found new log: 072477793200_CloudTrail-Digest_ap-northeast-1_Test-trail_us-west-2_20160802T142331Z.json.gz
Traceback (most recent call last):
File "./getawslog.py", line 101, in
main(sys.argv[1:])
File "./getawslog.py", line 80, in main
records = j["Records"]
KeyError: 'Records'

Let me take a look on it and I will update you in few minutes.

When I follow the instructions for changing an existing rule in the documentation, I get this error when running ossec-logtest:

# /var/ossec/bin/ossec-logtest
...
2018/01/28 08:26:29 ossec-testrule: ERROR: rules_op: Invalid root element "rule".Only "group" is allowed
2018/01/28 08:26:29 ossec-testrule: CRITICAL: (1220): Error loading the rules: 'ruleset/rules/local_rules.xml'.

The rule I am changing comes from 0155-dovecot_rules.xml. If I copy the '<group...> and settings from that file into local_rules.xml, ossec-logtest succeeds:

<group name="dovecot,">
<rule id="9706" level="0" overwrite="yes">
  <if_sid>9700</if_sid>
  <match>: Disconnected: </match>
  <description>Dovecot Session Disconnected.</description>
  <group>pci_dss_10.2.5,pci_dss_8.1.5,pci_dss_8.1.8,gpg13_7.1,</group>
</rule>
</group>

Todo:

• Document the <group...>... syntax in "changing an existing rule"

Questions:

• Is the group "name" important -- that is, does it need to match the group name of the original rule?
• If the group name does not need to match, should the group name in "local_rules.xml" be set to something like "local_rules,"?
• If the group name needs to (or should) match, can there be multiple <group...> entries in local_rules.xml -- in case I need to change rules from multiple groups?

In previous versions, the agent would log this:

2017/12/15 23:15:29 ossec-agentd(4102): INFO: Connected to the server (172.31.17.4:1514).

And that was my "All's well."

The new version doesn't log that. What is the modern equivalent?

Hello, i am trying to learn about wazuh ruleset and create my own ruleset but i need to know the description of every level which is written in core ruleset of wazuh.

https://documentation.wazuh.com/3.x/user-manual/agents/agent-life-cycle.html#agent-status

An agent is considered disconnected when no keep-alive was received from it within the last 30 minutes, no matter the protocol –so far–.

Related issue: wazuh/wazuh#507

Add the call documentation for the process wazuh-db in Manual / Reference / Daemons.

please consider also building the "new_template" branch on readthedocs.
even if it is still WIP, it reflects the current state of wazuh/master + ELK Stack 5.x

perhaps also using webhooks?
https://docs.readthedocs.io/en/latest/webhooks.html

Just want some feedback on a few changes that I've put here.

Ideas for new template

1. Include specific instructions for each OS you support w/ packages. (Which are those?)
2. Add curl commands to test functionality
3. File creations & initial contents should be easily executable via the command line.
4. Maybe build out installation instructions for each type of machine? manager, agent, api, elastic+kibana? If we build out more comprehensive instructions it might be a good idea to break them out into their own documentation.

Hello! According to documentation msi should use SERVER_IP from command line, but in reality it uses ADDRESS.

Could be something I am doing wrong but when I run an md5 checksum for:

https://packages.wazuh.com/apt/pool/xenial/main/w/wazuh-api/wazuh-api_2.1.0-1xenial_amd64.deb

I get: 1ba518802ea5a0bbd85524e8b02df28b
which doesn't match checksum: ff44c351de4ba1866fe8f8d669a6b07a

The other two matched as expected so it is concerning.

Hello team,

The new cluster has changed for the next version of Wazuh, so now we need to update the documentation to reflect the new configuration options and the How it works section.

This issue will track the progress on the new documentation for this.

Currently defined tasks:

• Remove "all cluster nodes must have the same date" note - fcbf5b3
• Update "How it works" section - d20d429
• Update "Master" subsection from "How it works" section - 8645f31
• Make a flow diagram of how the cluster works - d20d429
• Update "Client" subsection from "How it works" section - 4e86004
• Remove wazuh-clusterd-internal daemon and update wazuh-clusted daemon from daemons section - 8eb64bb 2a30d32
• Update cluster_control section - bf7c345
• Remove cluster database section - d074398
• Update "use case & how to install" section - 043bd5a
• Update "how to install on centos6" section - 08a380e
• Add "how to update cluster" section - db95f25
• Update cluster configuration section - 45b7d9e
• Update cluster API calls - 3c246e8

Best regards,
Marta

Hey guys,
I've found bunch of things with http://documentation.wazuh.com/en/latest/ossec_amazon.html

1. After installing awscli, boto, getawslog.py still doesn't work - error is related to AWS credentials. I was able to fix it only by creating .boto file http://boto.cloudhackers.com/en/latest/getting_started.html - Configuring Boto Credentials section. After that I did pip uninstall awscli and everything still works fine. Looks like one doesn't even have to install it.
2. Security IAM rules Give the user(s) permission to manage security policies, press Attach Policy and select AmazonS3FullAccess policy. defo not the best way to do things. If you don't mind I can create a pull-request with more tighten IAM policy example, which will allow only read and delete access to specific bucket and only list this particular bucket. Also in this case getawslog.py should be a bit adjusted as it would no be able list all buckets in account. I could do a pull-request for this too.
3. CloudTrail Enable log file validation parameter has to be configured as NO. If YES - then getawslog.py fails with error provided below: (line numbers are different as I modified the script a bit)

 error Traceback (most recent call last):
  File "./getawslog.py", line 100, in <module>
    main(sys.argv[1:])
  File "./getawslog.py", line 77, in main
    records = j["Records"]
KeyError: 'Records'

1. Let's assume everything with this getawslog.pyworks fine and we have amazon.log filled with data. What should happen next ? Which part of software have to read data in this file ? I suppose ossec-agent has to be configured somehow, but not yet sure about this. Could you please shed some light here ?

Thanks for your work, guys.

Elasticsearch will not start after doing the upgrade on a 2.1 VM appliance (CentOS 7)

Symptom: In step 3 of 'Upgrade Elasticsearch' on this page: https://documentation.wazuh.com/current/installation-guide/upgrading/different_major.html#upgrading-different-major

curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 17205  100 17205    0     0  79415      0 --:--:-- --:--:-- --:--:-- 79652
curl: (7) Failed connect to localhost:9200; Connection refused

There are new required values in the elasticsearch configuration files, but yum does not overwrite the existing files during the update.

Doing this allows elasticsearch to start, allowing the install to proceed:

cd /etc/elasticsearch
mv elasticsearch.yml elasticsearch.yml.save
cp elasticsearch.yml.rpmnew elasticsearch.yml
mv jvm.options jvm.options.save
cp jvm.options.rpmnew jvm.options

I'm using wazuh for my internship in. I need collecting log and analyzing it but not every time after the event in the log happening because there is still no specialize network for communicating this log in my place and if it send everytime it can make the network become crowded.
How can i set collecting log but with time frequency? for example i need to collect apache access and error log but only every 2 hour.

I have Wazuh 3.x installed on a PC with Ubuntu 16.04 LTS Desktop, with several other Windows 10 PCs running agents, in a SOHO environment. Everything is working fine and I have just completed VirusTotal integration successfully.

I started the VULS integration installation script and immediately ran into a problem:

# /var/ossec/wodles/vuls/deploy_vuls.sh ubuntu 16

...This script will install dependencies, download VULS, download CVE and OVAL databases, and configure VULS. This deployment supports the following operating systems:...

https://documentation.wazuh.com/3.x/user-manual/capabilities/vuls.html#how-it-works

The referenced documentation above fails to mention that if you run the installation script, on a Ubuntu 16 Desktop PC, it will uninstall the Ubuntu Desktop among other things like (pardon paraphrases) ttf-mscorefonts-installer, ubuntu-desktop, update-manager, ubuntu-release-updater-gtk, update-notification-common.

I'm sure not many are running this type of software on desktop PCs but it would have been helpful to get a warning.

Just thought someone should know.

Hi,
Following the documentation I install the Wazuh App plugin for Kibana with the comand below:

$ /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp.zip

but unfortunately I obtain this error:

Error: Client request error: connect EHOSTUNREACH 54.230.128.120:443 Plugin installation was unsuccessful due to error "Client request error: connect EHOSTUNREACH 54.230.128.120:443"

So I have tried the local installation.
After the download with the command:

/usr/share/kibana/bin/kibana-plugin install wazuhapp url file:///tmp/wazuhapp.zip

I have this also error:

Attempting to transfer from wazuhapp Attempting to transfer from https://artifacts.elastic.co/downloads/kibana-plugins/wazuhapp/wazuhapp-5.5.2.zip Error: Client request error: connect ETIMEDOUT 54.243.108.41:443 Plugin installation was unsuccessful due to error "Client request error: connect ETIMEDOUT 54.243.108.41:443"

Could you have any suggestion to install the plugin with proxy? Many thanks.

There isn't much documented regarding what should be the recommended hardware(RAM, CPU cores, Disk size) setup for Wazuh server and Elasticsearch nodes. This can include recommendations based on number of machines which needs to be monitored.

The documentation to configure the alert output to the database is not sufficient. The explanation given in wazuh/wazuh#569 may be helpful.

Pending tasks

• Elaborate a list of steps for both MySQL and PostgreSQL. The list must be minimal but sufficient to properly configure database output:
  • MySQL:
    • Required configuration
    • Wazuh configuration block
  • PostgreSQL:
    • Required configuration
    • Wazuh configuration block

Guys,
You're advising to download geolite via http. It's insecure as it's open for MiTM attacks. I verified that the download website is available also via https, so can you please change in docs http:// to https:// ?
https://github.com/wazuh/wazuh-documentation/blame/master/source/ossec_elk_logstash.rst#L200

Cheers, and keep up the great work!

If we follow the upgrade steps from ELK 2 to ELK 5, there is an error with the step 4 link.
We start at:
https://documentation.wazuh.com/current/installation-guide/upgrading/index.html
then we chose "Upgrade from a legacy version":
https://documentation.wazuh.com/current/installation-guide/upgrading/legacy/index.html#upgrading-wazuh-legacy
then we click on "Upgrade from Elastic Stack 2.x to 5.x"
https://documentation.wazuh.com/current/installation-guide/upgrading/legacy/upgrading-elastic-stack.html#upgrade-from-elastic-stack-2-x-to-5-x
and the step 4 is:

At this point, you are ready to install the new version of Elastic Stack. Follow the appropriate link below for installation instructions for your specific operating system:

Install Elastic Stack with RPM packages
Install Elastic Stack with DEB packages

Both links point to a Elastic Stack version 6 installation. These links must to point to 5 version (Wazuh 2.1 documentation).

Best regards,
Alberto R.

Hi everyone,
when I search to add an agent with the PowerShell script I obtain the following error

IE has not had it's initial startup dialogue dismissed, please complete this step and try again. Script will exit. Error: $($geterr)`n .Please Run OSSEC_AgentConfig Seperately once you correct the error

In the code I saw that this error is in Test API integration but I checked the correctness of configuration's part with APIaddress, Wazuh manager IP, username and password.
So how can I proceed?

And could you explain me better this phrase:

Test API integration to make sure IE has run through initial startup dialogue - This can be a problem with new servers

Many thanks

Hi Wazuh Team!

I have some question regarding the Architecture section of Wazuh Documentation. It's been bugging me for a days, because it stated on Wazuh Documentation said, that Single Host architecture is recommended for a Small Wazuh deployments (<50 agents), quoted from the wazuh documentation said:

In smaller Wazuh deployments, Wazuh and Elastic Stack with a single-node Elasticsearch instance can all be deployed on a single server. In this scenario, Logstash can read the Wazuh alerts and/or archived events directly from the local file system and feed them into the local Elasticsearch instance.

Compare it with the Distributed ones quoted from wazuh doc :

An Elasticsearch cluster is a collection of one or more nodes (servers) that communicate with each other to perform read and write operations on indexes. Small Wazuh deployments (<50 agents), can easily be handled by a single-node cluster. Multi-node clusters are recommended when there is a large number of monitored systems, when a large volume of data is anticipated and/or when high availability is required.

When the Wazuh server and the Elasticsearch cluster are on different hosts, Filebeat is used to securely forward Wazuh alerts and/or archived events to the Elasticsearch server(s) using TLS encryption.

i am not fully understand with the different between these two Architecture, especially with the advantages and disadvantages on both Architecture. My summary on both Architecture:

• Single-Host

1. More recommended in small architecture.
2. Elastic and Wazuh manager are on the same machine

• Distrbuted

1. Strongly recommended on bigger architecture
2. Have file beat to encrypt the forwarded log
3. More capable to handle many many agents and log
4. Elastic and Wazuh are on seperated machine.

I mean, what if i used the distributed architecture on small deployment such as i only have 5 agents that wanted to be monitored, and i only have one ossec server, is it prohibited? I questioned this because i always seen some people that used Distributed architecture even in smaller deployment. I just want to make sure that what i conclude was correct, or am i missed something ?

What's the matter with Wazuh and ELK on different machine ? i know that the answer would be " because in some condition you just want to do it that way," i mean, is there any condition that didnt stated on the wazuh documentation like you want to do it because that or because this or because "when the machine A which has ELK got infected by virus, fortunately, it was separate with machine B which has ossec on it, so my log data and configuration are untouched/safe from virus, thank god".

Regards
fathin

The Splunk section must contain a guide for the installation process in distributed systems and include some diagrams and snapshots.

These changes are being developed in this branch

The AWS Cloudtrail section has a little mistake, where it has to point to 'IAM -> Users' it's currently pointing to 'IAM -> Clusters' .

This will be fixed in this branch.

Hi,

I try to install ossec-hids-agent for debian stretch and follow this link
https://github.com/wazuh/wazuh-documentation/blob/master/source/ossec_installation_deb.rst

but after apt-get update I get

W: GPG error: https://ossec.wazuh.com/repos/apt/debian stretch InRelease: The following signatures were invalid: 9FE55537D1713CA519DFB85114B9C8DB9A1B1C65
W: The repository 'https://ossec.wazuh.com/repos/apt/debian stretch InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.

do I forget something?
many thanks!!

kind regards

Hello, is it possible to rename repo to something like ossec-documentation ?
B/c fork looks a bit strange - netflash/documentation - not really related to anything.

Hello team,

As the documentation is a collaborative project, it needs organization in how we manage and use the branches to add new articles and sections to the Wazuh documentation.

A CONTRIBUTING.md file is needed to describe this contribution process to ensure good maintainability in this repository.

Regards,
Juanjo

(sorry for over-loading the Issue)

When does one choose the "OSSEC HIDS" container versus the "OSSEC-ELK" container?

I'm guessing that since the WUI is abandoned and I don't have an ELK of my own, I want OSSEC-ELK, but even if I'm correct, shouldn't that be in the doc somewhere?

Where's the dashboard? I see 5 ports being mapped to the container, but which one is the dashboard? I'll try my browser against them all, but shouldn't that go in the doc, too?

In my opinion, the section that gives credit to xetus-oss should not be in the middle of the Docker installation section. It could be first, or before the container sections, or in the head of each container section, instead.

Last, I wish there was a "bunny slope", a guide for impatient geeks. There are lots of setup choices, and I'm hoping the container is the simplest and fastest.

Thank you for making it easy to offer feedback!

Hello all,

Our cluster documentation lacks information about agent registration. I think a subsection should be added in the "Configuring a cluster" page.

Best regards,
Marta

Hi there, we notice that we can't clone https://github.com/wazuh/ossec-hids.git as the documentation directs. It appears to be missing.

Two variables are missing in the decoder documentation: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

In particular, one is called plugin_decoder and the other one is use_own_name.

It has been also added a new one in wazuh/wazuh#677 that needs to be included when it is available in new versions of Wazuh.

https://raw.githubusercontent.com/wazuh

All pages respond with:
"400: Invalid Request"

I'm not sure if this is an issue with github or the wazuh repository. It's kinda hard to get kibana installed at the moment tho.

Thank you

when i add new api and click save ，i have a error message "Invalid user field" ,how can i do ?thank you ！

This is in continuation with the #11 . As mentioned already,

I too have got the same problem as others on #11. Even after using the new rules/decoders I am still stuck with "Unknown problem somewhere in the system". The amazon decoder is working but rule is being satisfied. For e.g. my logs had events of creating users and although the rule "80861" should have been triggered, it only fires rule "1002".
Can you help here please, @jlruizmlg .

hi:
in the Wazuh page top show "Directives - Menu. Error. Could not locate that index-pattern (id: f1175040-d5c5-11e7-8ef5-a5944cf52264), click here to re-create it"
but i click to recreate, it's don't work ,in the same time , in the Discover page filter "wazuh-alert-3.x-*" show "No results found"

please tell me how to fix it ,thanks~~

In the ElasticSearch section of the Install ElasticSearch with RPM Guide, step 3 includes a request for template_file.json:

$ curl https://raw.githubusercontent.com/wazuh/wazuh-kibana-app/master/server/startup/integration_files/template_file.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
The initial curl command returns a 404, and I can't find a matching file anywhere in the Wazuh repo.

Hi guys :)
With your help I correctly added the new agent. Now, via Wazuh agent manager in windows I have added the folder to monitor like follow:
<syscheck> [...] <!-- My test. --> <directories check_all="yes" realtime="yes" report_changes="yes" alert_new_files="yes">/test</directories></syscheck>

But when I create a new file in that directory no logs appears in wazuh-alert index.

Many thanks

Add description for option check_sha256sum of Syscheck

Add the documentation reference for the options in Remoted and Analysisd described in the following PR: wazuh/wazuh#649

Add the introductory and reference documentation for the osquery module.
The options are described in this PR: wazuh/wazuh#627

os:centos 7 64bit
i install kibana by Installation guide ,server is running,but dashboard show error for "plugin:[email protected]",how to fix it?

Add the documentation related to the Syscollector module, including the new scans available, as well as the information retrieved for each scan and Operating System.

Guys,
You're advising to download geolite via http. It's insecure as it's open for MiTM attacks. I verified that the download website is available also via https, so can you please change in docs http:// to https:// ?
https://github.com/wazuh/wazuh-documentation/blame/master/source/ossec_elk_logstash.rst#L200

Cheers, and keep up the great work!

Hello team,

We still have some HTTP links in our documentation articles. We should review and update them to HTTPS if it's possible and if it works.

Regards,
Juanjo

We finished the first stage of Wazuh app documentation. We still need to write more articles, so the community can have more information about how to use the app.

Tasks:

• Write an article with the package list for the Wazuh App.
• Write an article to fully customize the Wazuh alerts to use a completely different template and pattern.
• Write an article for the config.yml file, describing the current parameters, checks, extensions, what it does, etc. Everything related to the configuration since this file will be more complex in the future.
• Write the troubleshooting guide, collecting all the solutions we've provided to the users on the mailing lists and writing them in an article.
• Articles for installation, extensions, X-Pack, adding an API, etc.
• Minor enhancements for currently existing Wazuh app documentation articles.
• Write a new documentation section with common Wazuh App problems and their best possible solutions. Collect all the notes from helping on the mailing lists and elaborate a collaborative document.

Regards,
Juanjo