Hello again and thanks for the support, In fact I receive only this type of warnings : 2018 May 25 01:10:12 WazuhServerTirana->FirewallIP id=firewall sn=C0EAE49Z345 time="2018-05-25 01:11:01" fw=publicIP pri=6 c=1024 m=537 msg="Connection Closed" app=39 n=91292961 src=10.x.x.x:57595:X2 dst=10.87.x.x:161:X2 srcMac=00:0c:29:5b:4d:a2 proto=udp/161 sent=107 rcvd=128 spkt=1 rpkt=1 cdur=30250 rule="4 (Vodafone->Vodafone)" fw_action="NA"
2018 May 25 01:10:09 WazuhServerTirana->FirewallIP id=firewall sn=C0EAE49Z345 time="2018-05-25 01:10:59" fw=publicIP pri=6 c=262144 m=98 msg="Connection Opened" n=11980860 src=10.80.x.x:36827:X0 dst=x.x.x.x:123:X1 dstMac=00:00:5e:00:01:65 proto=udp/ntp sent=76 rule="1 (LAN->WAN)" fw_action="NA" On Thursday, May 24, 2018 at 4:58:03 PM UTC+2, Juanjo Jiménez wrote: > > Hello again, > > Could you please show me some of the logs about Sonicwall that you're > getting on the archives.log file? You could use this command: > cat /var/ossec/logs/archives/archives.log | grep sonicwall > > Maybe there are only events on that file that don't match to any specific > Sonicwall rules available on the Ruleset, and those events won't be > triggered as an alert on the alerts.json file. > > Thanks for your patience. > > Regards, > Juanjo > > El jueves, 24 de mayo de 2018, 15:29:23 (UTC+2), Mikel Sheshi escribió: >> >> Hello again, >> Modified the ossec.conf to level 1 >> <ossec_config> >> <global> >> <jsonout_output>yes</jsonout_output> >> <alerts_log>yes</alerts_log> >> <logall>yes</logall> >> <logall_json>yes</logall_json> >> <email_notification>yes</email_notification> >> <smtp_server>mail.domain.com</smtp_server> >> <email_from>osse...@domain.com</email_from> >> <email_to>mikel....@domain.com</email_to> >> <email_maxperhour>12</email_maxperhour> >> </global> >> >> <alerts> >> * <log_alert_level>1</log_alert_level>* >> <email_alert_level>12</email_alert_level> >> </alerts> >> But still don't see the sonicwall logs on the alerts.json >> ( I see them on archives.json ) >> >> Thank you >> Mikeli >> >> On Thursday, May 24, 2018 at 12:58:59 PM UTC+2, Juanjo Jiménez wrote: >>> >>> Hello again Mikel, >>> >>> If you receive Sonicwall events on the archives.log file, then you >>> should see them on the alerts.json file, BUT only if they are from *at >>> least level 3* or higher. >>> >>> This setting can be found inside the <alerts> tag on your ossec.conf >>> file: >>> <alerts> >>> <log_alert_level>3</log_alert_level> >>> <email_alert_level>12</email_alert_level> >>> </alerts> >>> >>> By default, the value is 3, but you can change it to 1, so you'll see >>> all the Sonicwall alerts starting from level 1. Keep in mind that, >>> according to the Sonicwall rules from our Ruleset repository >>> <https://github.com/wazuh/wazuh-ruleset/blob/v3.2.2/rules/0080-sonicwall_rules.xml>, >>> >>> some of them are level 0, and those rules will never trigger alerts on the >>> alerts.json file. >>> >>> Try changing the <log_alert_level> to 1 and then, restart the manager: >>> systemctl restart wazuh-manager >>> >>> Let me know if now you can see Sonicwall alerts on the alerts.json >>> file. If so, then they will appear on the Kibana app, just like I mentioned >>> you in my previous message. >>> >>> If you still have questions, please let me know. >>> >>> Regards, >>> Juanjo >>> >>> El jueves, 24 de mayo de 2018, 11:53:42 (UTC+2), Mikel Sheshi escribió: >>>> >>>> Hello Juanjo, >>>> Thank you for the reply >>>> The problem is that I can see the logs of the Sonicwall on the >>>> directory /var/ossec/logs/archives >>>> But I don't see them on /var/ossec/logs/alerts >>>> >>>> I receive the logs on Archives folder , but I don't receive any alert >>>> about them on alerts.json >>>> The question is : How to move the Sonicwall syslogs to the Alerts.json >>>> file ? >>>> >>>> Thanks >>>> Mikeli >>>> >>>> On Wednesday, May 23, 2018 at 5:53:11 PM UTC+2, Juanjo Jiménez wrote: >>>>> >>>>> Hello Mikel, >>>>> >>>>> If you're getting Sonicwall alerts on the alerts.json file, you can >>>>> see them in Kibana. Currently, we don't have a specific tab for Sonicwall >>>>> alerts, but you can go to the *Overview* tab, and you'll see a search >>>>> bar (circled in red) where you can type the following: >>>>> rule.groups: sonicwall >>>>> >>>>> And press enter. This will filter the alerts by this group. You can >>>>> also open the *Discover* view (circled in red) to see the alerts in a >>>>> list-view mode, just like on Kibana's Discover tab on the left sidebar. >>>>> >>>>> >>>>> <https://lh3.googleusercontent.com/-jtRSbeXeqps/WwWKq39XVsI/AAAAAAAAAIk/jP_IS45b-M4SfDp5et5GvCagt6mw7UMrgCLcBGAs/s1600/searchbar.PNG> >>>>> >>>>> Let me know if this works for you. >>>>> >>>>> Regards, >>>>> Juanjo >>>>> >>>>> El miércoles, 23 de mayo de 2018, 15:21:57 (UTC+2), Mikel Sheshi >>>>> escribió: >>>>>> >>>>>> Hello , >>>>>> Is there any way to send sonicwall soslogs on Kibana dashboard (Wazuh >>>>>> server) >>>>>> I have set the logall option to "Yes" on ossec.conf >>>>>> <jsonout_output>yes</jsonout_output> >>>>>> <alerts_log>yes</alerts_log> >>>>>> <logall>yes</logall> >>>>>> I receive the logs on the /var/ossec/logs/archives >>>>>> >>>>>> But I want to see the alerts on Kibana dashboard gui >>>>>> >>>>>> >>>>>> - The file /var/ossec/logs/archives/archives.json contains all >>>>>> events whether they tripped a rule or not. >>>>>> - The file */var/ossec/logs/alerts/alerts.json* contains only >>>>>> events that tripped a rule. >>>>>> >>>>>> I want to see the sonicwall syslogs on alerts.json on Kibana in the >>>>>> same way that I see the wazuh agent logs >>>>>> >>>>>> Thanks >>>>>> Mikeli >>>>>> >>>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.