Integration with Wazuh-ELK¶
if you want to send OwlH output including Suricata and Zeek alerts and logs to Wazuh-ELK
This will help to integrate your NIDS alerts and output into Wazuh world. this is a one-way integration process.
As usual, please keep in contact if there is any clarification or help needed.
- email our support team - firstname.lastname@example.org
- join OwlH slack - OwlH Slack workspace
- ask for professional support and services - email@example.com
- Install and register your Wazuh Agent in the OwlH Node
- Configure Wazuh Agent to read the OwlH Node output
- Enable OwlH Node Analyzer
- Add OwlH filebeat Module in your OwlH Manager
- Import OwlH dashboards in your ELK Kibana
Install Wazuh Agent¶
Run OwlH wazuh agent script to install Wazuh-agent in your OwlH Node.
# wget repo.owlh.net/current-centos/services/owlhwazuh.sh # bash owlhwazuh.sh
Register your Wazuh Agent with your Wazuh Manager, and modify the ossec.conf file to point to it as needed. Please follow your Wazuh deployment process to run this step or refer to Wazuh’s documentation.
Configure Wazuh Agent to read OwlH output¶
We need to tell our Wazuh Agent to read the OwlH Output where NIDS alerts and logs are stored. The file is created by the OwlH Analyzer and by default is /var/owlh/alerts.json. Be sure Analyzer is configured and working
You can configure this from User Interface:
UI -> nodes -> search your node -> node services configuration -> Wazuh -> add file include the alerts.json path where Analyzer is storing events save and reload Wazuh
You can verify if there are new lines in the alerts.json file, UI will show current size and you can refresh it. also, you can verify ossec.log file to check if there are any errors.
To monitor ossec.log file:
UI -> nodes -> search your node -> monitor node -> add file include your ossec.log file -> /var/ossec/logs/ossec.log review the latest 10, 50 or 100 lines.