• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

AlienVault/Ossim integration with Wazuh

DaniilDaniil

New Life Form
+5
Hi everyone,

I hope someday Alienvault will replace OSSEC with Wazuh, but for now I decided to share info on how you can connect your Wazuh setup to OSSIM/AV.

Pre-requisites: 
2. AV or OSSIM accesible from WZH server. 

Wazuh integration with AlienVault:

On Wazuh manager:

1. Enable local alerts logging and add custom output
# vi /var/ossec/etc/ossec.conf

<ossec_config>
  <global>
    <alerts_log>yes</alerts_log>
    <custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; </custom_alert_output>

2. Create syslog rule to send alerts to AV server:
#  vi /etc/rsyslog.d/wazuh.conf

dLoad imfile
$InputFilePollInterval 1

# OSSEC alerts file
$InputFileName /var/ossec/logs/alerts/alerts.log

$InputFileTag ossec-alerts:
$InputFileSeverity info
$InputFileFacility local7

# State file only visible when rsyslog stops
# State file in $WorkDirectory
$InputFileStateFile stat-ossec1
$InputRunFileMonitor

# TLS configuration
#$DefaultNetstreamDriver gtls

#$DefaultNetstreamDriverCAFile /root/certificates/ca.pem
#$DefaultNetstreamDriverCertFile /root/certificates/cert-soc-collector1.pem
#$DefaultNetstreamDriverKeyFile /root/certificates/key-soc-collector1.pem

#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverPermittedPeer example.domain.com
#$ActionSendStreamDriverMode 1

$template ossec,"%msg%\n"
if $syslogtag == 'ossec-alerts:' then @@Your.AV.IP.ADDR:514;ossec
& stop

3. Export your Wazuh rules:
3.1 create export script 
# vi  /var/ossec/api/rules2ossim.py
#!/usr/bin/env python

from sys import path
path.append('/var/ossec/framework/'.format(path[0]))
from wazuh.rule import Rule

#print("file;id;description;level;status;groups;pci;details")
print("DELETE FROM plugin where id = '22000';")
print("DELETE FROM plugin_sid where plugin_id = '22000';")
print("INSERT IGNORE INTO plugin(id, type, name, description) VALUES(22000, 1, \"Wazuh\", \"Wazuh host and endpoint security\");")
print("INSERT IGNORE INTO plugin_sid(plugin_id, sid, category_id, subcategory_id, class_id, reliability, priority, name) VALUES")
for rule in Rule.get_rules(status='enabled', limit=0, sort={"fields":["file"],"order":"asc"})['items']:
#    print("{0};{1};{2};{3};{4};{5};{6};{7}".format(rule.file, rule.id, rule.description, rule.level, rule.status, rule.groups, rule.pci, rule.details))
    print("(22000, %s, 15, 173, NULL, 1, 1, \"Wazuh - %s\")," % (rule.id, rule.description))

3.2 run script:

python rules2ossim.py >> wazuh.sql | sed -i -e '5,$s/"//g' -e '5,$s/, Wazuh/, "Wazuh/g' -e '5,$s/),/"),/g' -e '$s/,$/;/' ./wazuh.sql

3.3. copy wazuh.sql to your AV server



On your AV server: 

1. Configure syslog to receive alerts and put it in /var/ folder: 
# nano /etc/rsyslog.d/ossec.conf
$template ossec,"AV -%msg%\n"
if $fromhost-ip == 'YOUR.WAZUH.SRV.IP' then /var/log/wazuh_alerts.log;ossec
& stop

2. Import Wazuh  sql  file
# cat wazuh.sql | ossim-db

3. Create plugin for Wazuh:
nano /etc/ossim/agent/plugins/wazuh-single-line.cfg

I've uploaded my conf file to pastebin: https://pastebin.com/JyaydAaR

4. restart rsyslog and ossim:
# service rsyslog restart
# ossim-reconfig 

5. check that log file is being populated with logs: 
# lsof /var/log/wazuh_alerts.log
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
ossim-age   678 root   20r   REG    8,1   120954 21534632 /var/log/wazuh_alerts.log
rsyslogd  28452 root   16w   REG    8,1   120954 21534632 /var/log/wazuh_alerts.log

6. Enable wazuh plugin globally via GUI (Deployment-> Server -> Sensor config -> Collection)
7. Check if  plugin is working
#cat /var/log/alienvault/agent/agent* | grep '22000'
***** ossim-agent: Alienvault-Agent[INFO]: wazuh-single-line[22000] Total lines [191] TotalEvents:[85]  EPS: [0.00] elapsed [10.01] seconds

8. Confirm that event are showing in the GUI - go to SIEM events and check for  Wazuh datasource


Sources: 

Hope this helps someone.
Thanks,
Daniil.

 


Tagged:

Share post:

Comments

  • Tell me, after running the script:
    python rules2ossim.py >> wazuh.sql | sed -i -e '5,$s/"//g' -e '5,$s/, Wazuh/, "Wazuh/g' -e '5,$s/),/"),/g' -e '$s/,$/;/' ./wazuh.sql

    I get the following error:

    Traceback (most recent call last):
      File "rules2ossim.py", line 12, in <module>
        for rule in Rule.get_rules(status='enabled', limit=0, sort={"fields":["file"],"order":"asc"})['items']:
      File "/var/ossec/framework/wazuh/rule.py", line 298, in get_rules
        return {'items': cut_array(rules, offset, limit), 'totalItems': len(rules)}
      File "/var/ossec/framework/wazuh/utils.py", line 104, in cut_array
        raise WazuhException(1406)
    wazuh.exception.WazuhException: Error 1406 - 0 is not a valid limit.

  • @regirv I don't know what exactly caused this error, but I've uploaded my version of wazuh.sql file for you:



  • Thanks for the file.
    I configured it as written above, but I get errors:
    2018-08-31 17:51:04,249 Watchdog [INFO]: Starting service 22000 (wazuh-single-line) 
    2018-08-31 17:51:06,469 Watchdog [WARNING]: [sid=4] There was an error starting process ossec-remoted belonging to plugin 22000
    2018-08-31 17:53:00,577 Detector [WARNING]: wazuh-single-line[22000] Event's field src_ip test01 is not a valid IP.v4/IP.v6 address, falling back to default: 0.0.0.0
    2018-08-31 17:53:00,578 Detector [WARNING]: wazuh-single-line[22000] Event's field dst_ip test01 is not a valid IP.v4/IP.v6 address, falling back to default: 0.0.0.0
    2018-08-31 17:53:00,578 Detector [WARNING]: wazuh-single-line[22000] Event's device field test01 is not a valid IP.v4/IP.v6 address, falling back to default local.

  • @regirv This seems pretty much ok for me. AlienVault often fails to resolve IP addresses and uses 0.0.0.0 instead. Have you checked your SIEM page for Wazuh events? 
  • Yes. events are arriving. But there is no complete information on the event (Ip, full-log) :-(

  • @regirv  what AV version are you using? Worked fine for me with 5.5
  • AV 5.6.0 
    Wazuh 3.6.0
  • In the file wazuh_alerts.log all the information is there, but only the Event Name is displayed in the SIEM.
  • @regirv  I beleive that's because they've changed the DB structure in 5.6.  I'm waiting myself for 5.6.1 to get my SIEM events fixed. 

    Also, you may have issues with the plugin -  /etc/ossim/agent/plugins/wazuh-single-line.cfg
    There were a way to check plugin with regex.py script, but they removed it. 
    You can take one event from wazuh_alerts and check in with corresponding plugin rule at regex101.com
  • Great Job Daniil

    I work With OSSIM and Wazuh since Wazuh 2.0
    Sorry , i don't have seen your post on my Wazuh discussion
    https://www.alienvault.com/forums/discussion/comment/24601/#Comment_24601

    I have modified my OSSIM framework for working with the wazuh agent.

    I have customized the ossec_single_line.cfg

    Now, i work with Wazuh 3.5 and I have modified the ossec installer generator for generate a wazuh installer


  • @Daniil, did you manage to integrate the pot and osim 5.61?
  • @regirv They haven't released 5.6.1 yet. I will update this topic after the upgrade. 
  • @Daniil, thanks, I'll wait.
  • Like regirv

    I get the following error:

    Traceback (most recent call last):
      File "rules2ossim.py", line 12, in <module>
        for rule in Rule.get_rules(status='enabled', limit=0, sort={"fields":["file"],"order":"asc"})['items']:
      File "/var/ossec/framework/wazuh/rule.py", line 298, in get_rules
        return {'items': cut_array(rules, offset, limit), 'totalItems': len(rules)}
      File "/var/ossec/framework/wazuh/utils.py", line 104, in cut_array
        raise WazuhException(1406)
    wazuh.exception.WazuhException: Error 1406 - 0 is not a valid limit.

  • it's work for me now.. You must change limit=0 with limit limit=10000 in the rule2ossim.py
    After you modify "/var/ossec/framework/wazuh/common.py" and you change

    database_limit = 5000
    maximum_database_limit = 10000

    Now it's work
  • Nice catch, @vidian

    I also thinking about changing priority/reliability of Wazuh rules forwarded to AV so it could correspond to Wazuh alers level. 
  • I advise you to see the subject on the git. It allows to have automatic decoding for Windows...
    I am currently working on a Wazuh plugin for OSSIM which will manage the Json

Sign In or Register to comment.