Forum Discussion

systemgeek's avatar
systemgeek
Icon for Neophyte rankNeophyte
4 years ago

Monitoring Wazuh and / or Ossec

I was wondering if anyone out there is using LM to monitor Wazuh and / or Ossec-hids in any way.  I am particularly interested in monitoring to see if the agent gets disconnected from the Manager.  But any other monitoring would be helpful too.

  • Anonymous's avatar
    Anonymous

    Couple of things to think at the start of this journey:

    - Make sure you've searched the Exchange. If LM or anyone else wrote a LogicModule for it, it'll likely be there (at least it should be).

    - The question i tell everyone to ask themselves is "how would you get at that data today?" With fair certainty, it can be said that LM can monitor just about anything. The real question is whether or not the data can be get at programmatically, and how.  If you can get at the data through some sort of scripted mechanism, you can write a scripted DataSource and monitor it in LM.  So, is there an API? Do you get the status of the agent-manager connection by logging into a web page? Do you find out the status by logging into a server via SSH and issuing a command?  Is it logged somewhere? Sent via SNMP trap? Once you answer that question, you'll be almost done.

  • Yes I searched the exchange and I even googled it and found nothing.  

    As for scripting.  I did figure out how to enable Linux Process monitoring and with that I am able to see the processes including the bunch of them that make up Wazuh/Ossec on a client.  My current thought right now is to create a job or cron or use Filebeat/Logstash (or something else) that can watch the logs for a disconnect.  Then either set an alarm via SNMPTrap, or maybe stop Wazuh/Ossec on the host which can be caught by LM.

    Or thats my initial thought since from what I can tell Wazuh / Ossec does not report to SNMP at all.

  • Anonymous's avatar
    Anonymous

    Thanks for doing your homework. That helps.

    It sounds like perhaps this might be more of an event than data, leading to look at an EventSource. You could setup a scripted EventSource that can log into the device via SSH, execute whatever you are thinking of running through cron, and grab the output. If the output contains number, you'd build a datasource to track those datapoints. If the log contains an indication of failure, you would use an EventSource. The EventSource would then trigger an alert for each offending line in the output.