Integration with Wazuh-ELK

if you want to send OwlH output including Suricata and Zeek alerts and logs to Wazuh-ELK

This will help to integrate your NIDS alerts and output into Wazuh world. this is a one-way integration process.

Main steps

• Install and register your Wazuh Agent in the OwlH Node
• Enable OwlH Node Analyzer
• Add OwlH filebeat Module in your OwlH Manager
• Import OwlH dashboards in your ELK Kibana

---

Install Wazuh Agent

YUM

APT

1. Import the GPG key:

# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

2. Add Wazuh repository

# cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

3. Install wazuh - agent

Note

You can use your own wazuh-agent installation and registration procedure.

# yum -y install wazuh-agent

or

# WAZUH_MANAGER="10.0.0.2" yum install wazuh-agent

4. Enable and start your Wazuh-agent

# systemctl daemon-reload
# systemctl enable wazuh-agent
# systemctl start wazuh-agent

1. Install the GPG key:

# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -

2. Add the repository:

# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

3. Update the package information:

# apt-get update

4. Install wazuh-agent

# apt-get install wazuh-agent

or

# WAZUH_MANAGER="10.0.0.2" apt-get install wazuh-agent

5. Enable and start your Wazuh-agent

# systemctl daemon-reload
# systemctl enable wazuh-agent
# systemctl start wazuh-agent

Be sure your agent is correctly register and looks like active on Wazuh Manager

Configure Wazuh Agent to read OwlH output

We need to tell our Wazuh Agent to read the OwlH Output where NIDS alerts and logs are stored. The file is created by the OwlH Analyzer and by default is /var/log/owlh/alerts.json. Be sure Analyzer is configured and working

You can configure this from OwlH User Interface:

* OwlH UI -> nodes -> search your node -> node services configuration -> Wazuh -> add file
* include the /var/log/owlh/alerts.json path where Analyzer is storing events
* save and reload Wazuh

You can verify if there are new lines in the alerts.json file, UI will show current size and you can refresh it. also, you can verify ossec.log file to check if there are any errors.

Wazuh manager and ELK configuration

Now you need to ensure that your Wazuh Manager is configured to manage OwlH output and is able to send to ELK properly. Also you may need to import in your ELK the default OwlH Dashboards

Follow the instructions here.

• ELK integration