Project

General

Profile

[Wazuh not sending alerts to prelude-manager]

Added by Marcus Smith 6 months ago

Hello,

I have two machines, one of them let's call it "Ossec" and the other "Correlator". My idea is to send Ossec alerts to a prelude-manager instance placed at Correlator. To do so I followed the next steps:

1. Register Ossec instance to prelude-manager

At "Correlator"

prelude-admin registration-server prelude-manager

At "Ossec"

prelude-admin register ossec "idmef:rw admin:rw" <Correlator_IP> --uid ossec --gid ossec

2. Review the configuration

At "Ossec"

A) The ossec profile config file point to default/client.conf and global.conf so then I just added server-addr = <Correlator_IP> at client.conf
B) Add the following options to ossec.conf file, under <global>

prelude_output, set to yes
prelude_profile, set to ossec
prelude_log_level, set to 3

At "Correlator"

A) I just specified to the prelude-manager where to listen. At /etc/prelude-amanager/prelude-manager.conf:

listen = &lt;Correlator_IP&gt;

At this point I should be able to generate ossec alerts that will be sent to the prelude-manager instance, but Ossec is not doing so. I'm generating level 3 alerts manually and using tcpdump to check the comunication with the Correlator and no packets are being sent. I've tried to:

-Reinstall ossec specifying “USE_PRELUDE?=yes” at the Makelfile
-Verified that all the needed components are correctly installed.
-Verified permission at "Ossec" to access Ossec profile

Anyone knows what is missing at wazuh configuration?

Thank you


Replies (3)

RE: [Wazuh not sending alerts to prelude-manager] - Added by Antoine LUONG 6 months ago

Hello,

Please check the logs of the OSSEC sensor to see if the Prelude client starts correctly.

Note: you probably don't want to give the idmef:r permission to this sensor, as it is not meant to receive IDMEF alerts.

Regards

RE: [Wazuh not sending alerts to prelude-manager] - Added by Marcus Smith 6 months ago

Antoine LUONG wrote:

Hello,

Please check the logs of the OSSEC sensor to see if the Prelude client starts correctly.

Note: you probably don't want to give the idmef:r permission to this sensor, as it is not meant to receive IDMEF alerts.

Regards

Did you mean the ossec.log log file (ossec software) or another log file generated by prelude sensors? I though that as ossec is an expert sensor with native support to prelude, it will handle the needed comunications. I've checked the ossec.log file and I don't see any reference to prelude.

I also corrected the permessions of the profile, as you suggested.

Thank you

RE: [Wazuh not sending alerts to prelude-manager] - Added by Marcus Smith 6 months ago

Solved!

It is fault of a wazuh source code error. I did a workaround and it is correctly sending the events to prelude.

You can check the ticket issue at:

https://github.com/wazuh/wazuh/issues/2552

Regards

    (1-3/3)