Solved Wazuh - operational and can add agents - now what
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ so I can't start the wazuh-manager because
ossec-analysisd: ERROR: Invalid option 'frequency' for rule '100100'.I'll have to look into that in a bit, have a meeting to run too.
2-9999 are allowed values
https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ so I can't start the wazuh-manager because
ossec-analysisd: ERROR: Invalid option 'frequency' for rule '100100'.I'll have to look into that in a bit, have a meeting to run too.
I made an error writing the rule.
frequencyandtimeframego up next torule_idandlevel. I edited my previous post and fixed itJust like rule
5703here https://github.com/wazuh/wazuh-ruleset/blob/master/rules/0095-sshd_rules.xml -
Starting Wazuh manager... env[11414]: 2019/12/11 13:57:27 ossec-analysisd: CRITICAL: rules_list: Signature ID '13202' not found. Invalid 'if_sid'. env[11414]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager. -
13202 > 9999,
@IRJ said in Wazuh - operational and can add agents - now what:
2-9999 are allowed values
https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html
-
@Dashrender said in Wazuh - operational and can add agents - now what:
13202 > 9999,
@IRJ said in Wazuh - operational and can add agents - now what:
2-9999 are allowed values
https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/rules.html
13202 is the rule number not frequency or timeframe
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Starting Wazuh manager...
env[11414]: 2019/12/11 13:57:27 ossec-analysisd: CRITICAL: rules_list: Signature ID '13202' not found. Invalid 'if_sid'.
env[11414]: ossec-analysisd: Configuration error. Exiting
systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1
systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Wazuh manager.Does rule
13202not exist? you should be able to find it in your rules folder under0200-smbd_rules.xmlfile -
Starting Wazuh manager... env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'. env[11593]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager. -
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Starting Wazuh manager... env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'. env[11593]: ossec-analysisd: Configuration error. Exiting systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'. systemd[1]: Failed to start Wazuh manager.Oh I made a typo! Its supposed to be
13102 -
-
@IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events.
In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?
-
Or I guess an even better question is there some free training on wazuh? I did a very brief search and found a few things, but it's all over the place as to what may be useful.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events.
In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?
So you already filtered it. Just click discover on top right
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
Or I guess an even better question is there some free training on wazuh? I did a very brief search and found a few things, but it's all over the place as to what may be useful.
Nope, I should make a course on Udemy, though
-
@IRJ said in Wazuh - operational and can add agents - now what:
So you already filtered it. Just click discover on top right
Doh that is so easy that I didn't even think that was it.
-
@DustinB3403 said in Wazuh - operational and can add agents - now what:
@IRJ said in Wazuh - operational and can add agents - now what:
So you already filtered it. Just click discover on top right
Doh that is so easy that I didn't even think that was it.
