Wazuh agent not sending eve.json?

Started by koushun, April 06, 2025, 12:22:56 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 06, 2025, 12:22:56 AM
Maybe I am not understanding this, but, I thought I could go to Wazuh > Threat intelligence > Threat Hunting and get an overview over Suricata events, however it does not seem to pick up any events from /var/log/suricata/eve.json?

OPNsense firewall version:
Code Select
Versions
OPNsense 25.1.4_1-amd64
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16
os-wazuh-agent installed on OPNsense firewall:
Code Select
os-wazuh-agent (installed) 1.2 40.4KiB 3 OPNsense Agent for the open source security platform Wazuh
Wazuh (LXC container installed by helper script: https://community-scripts.github.io/ProxmoxVE/scripts?id=wazuh):
Code Select
4.11.2
The agent installed on the firewall is marked as active in Wazuh.

Configuration file for agent installed on firewall:
Code Select
cat /var/ossec/etc/ossec.conf
<ossec_config>
  <client>
    <server>
      <address>192.168.1.12</address>
      <protocol>tcp</protocol>
      <port>1514</port>
    </server>
    <crypto_method>aes</crypto_method>
    <enrollment>
      <port>1515</port>
    </enrollment>
  </client>

  <client_buffer>
    <!-- Agent buffer options -->
    <disabled>no</disabled>
    <queue_size>5000</queue_size>
    <events_per_second>500</events_per_second>
  </client_buffer>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>

  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories>/etc,/usr/bin,/usr/sbin</directories>
    <directories>/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <ignore>/sys/kernel/security</ignore>
    <ignore>/sys/kernel/debug</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>100</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <response_timeout>30</response_timeout>
      <queue_size>16384</queue_size>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

  <!-- Log analysis -->
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/opnsense_syslog.log</location>
  </localfile>

  <!-- Suricata -->
  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>


  <!-- Active response -->
  <active-response>
    <disabled>yes</disabled>
  </active-response>


</ossec_config>

The necessary permissions are in place on the firewall, as root is running the 'wazuh-logcollector'- which is presumably able to read /var/log/suricata/eve.json?
Code Select
ps aux | grep wazuh
root        35464   0.0  0.1   49484   16068  -  S    21:32       0:05.04 /var/ossec/bin/wazuh-logcollector
root        86633   0.0  0.0   23596   12032  -  I    21:32       0:00.00 /var/ossec/bin/wazuh-execd
wazuh       90197   0.0  0.1   39936   14848  -  S    21:32       0:35.77 /var/ossec/bin/wazuh-agentd
root        95620   0.0  0.1   46636   17808  -  SN   21:32       0:12.82 /var/ossec/bin/wazuh-syscheckd
root        92113   0.0  0.0   13748    2036  1  S+   23:14       0:00.00 grep wazuh
Additional Information, group membership for user wazuh:
Code Select
id wazuh
uid=309(wazuh) gid=309(wazuh) groups=309(wazuh)
File permissions for eve.json:
Code Select
ls -al /var/log/suricata/eve.json
-rwx------  1 root wheel 15899978 Apr  5 23:16 /var/log/suricata/eve.json
There are active events being logged to eve.json- although they are not of "event_type":"alerts", but rather "event_type":"tls":
Code Select
tail -f /var/log/suricata/eve.json
{"timestamp":"2025-04-05T23:18:25.645024+0200","flow_id":434493063789884,"in_iface":"vtnet1","event_type":"tls","src_ip":"p.p.p.p","src_port":13938,"dest_ip":"z.z.z.z","dest_port":443,"proto":"TCP","pkt_src":"wire/pcap","tls":{"subject":"CN=*.iot.eu-west-1.amazonaws.com","issuerdn":"C=US, O=Amazon, CN=Amazon RSA 2048 M01","serial":"04:83:77:02:F6:2F:7A:39:61:31:41:F2:29:7A:8E:CF","fingerprint":"5a:ee:c9:1e:e7:3c:6b:48:86:66:dc:f7:a5:0a:ea:24:49:15:cb:eb","sni":"al9fa5uwnmgg7-ats.iot.eu-west-1.amazonaws.com","version":"TLS 1.2","notbefore":"2024-08-21T00:00:00","notafter":"2025-07-28T23:59:59","ja3":{"hash":"d311fcfe5b660d59dc616e20831c55a0","string":"771,52393-49195-49196-52392-49199-49200-49161-49162-49171-49172-156-157-47-53,65281-0-23-13-5-11-10,29-23-24,0"},"ja3s":{"hash":"e36e593c5f33a620e2c9d3801f61be4a","string":"771,49199,0-11-65281-23"}}}
{"timestamp":"2025-04-05T23:18:25.740509+0200","flow_id":285055222499977,"in_iface":"vtnet1","event_type":"tls","src_ip":"x.x.x.x","src_port":14301,"dest_ip":"y.y.y.y","dest_port":443,"proto":"TCP","pkt_src":"wire/pcap","tls":{"subject":"CN=*.iot.eu-west-1.amazonaws.com","issuerdn":"C=US, O=Amazon, CN=Amazon RSA 2048 M01","serial":"04:83:77:02:F6:2F:7A:39:61:31:41:F2:29:7A:8E:CF","fingerprint":"5a:ee:c9:1e:e7:3c:6b:48:86:66:dc:f7:a5:0a:ea:24:49:15:cb:eb","sni":"al9fa5uwnmgg7-ats.iot.eu-west-1.amazonaws.com","version":"TLS 1.2","notbefore":"2024-08-21T00:00:00","notafter":"2025-07-28T23:59:59","ja3":{"hash":"d311fcfe5b660d59dc616e20831c55a0","string":"771,52393-49195-49196-52392-49199-49200-49161-49162-49171-49172-156-157-47-53,65281-0-23-13-5-11-10,29-23-24,0"},"ja3s":{"hash":"e36e593c5f33a620e2c9d3801f61be4a","string":"771,49199,0-11-65281-23"}}}

Running OPNsense through Proxmox
4 x Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (1 Socket)
24 GB RAM
April 06, 2025, 12:30:18 AM #1
Yay, ChatGPT to the rescue.

So I learned today that Wazuh basically only lists *alerts*.

I confirmed that Wazuh receives events from eve.json by kind of following https://benheater.com/integrating-pfsense-with-wazuh/

Wazuh > Server Management > Rules > Add new rules file

Suricata-Overrides.xml
Code Select
<!-- Modify it at your will. -->

<group name="ids,suricata,">

    <!--
    {"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"abcde","payload_printable":"hi test","stream":0,"host":"suricata.com"}
    -->
 
    <rule id="86604" level="7" overwrite="yes">
        <if_sid>86600</if_sid>
        <field name="event_type">^tls$</field>
        <description>Suricata: TLS.</description>
    </rule>

</group>

Then I could go Wazuh > Explore > Discover and under wazuh-alerts-* index filter by "rule.id: 86604", and I saw TLS type of events.
Running OPNsense through Proxmox
4 x Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (1 Socket)
24 GB RAM
Print
Go Up Pages1
User actions