What are
/r/Wazuh's
favorite Products & Services?
From 3.5 billion Reddit comments
The most popular Services mentioned in /r/Wazuh:
The most popular reviews in /r/Wazuh:
Hi u/bigjon_97, Wazuh employee here. Let me try to answer this question.
Self hosted: as our platform is open source and free, you can download for free and you have an option to get the Annual Professional Support (Standard or Premium). The prices of the support are calculated according to the quantities of endpoint that you want to monitor (can be servers, workstations, network devices,etc.), and we have different bands, for example up to 25 agents, up to 50 agents, etc. Like you mentionted, in on-prem (whether or not you hired the support) the end user administrator needs to take care of the maintenance of this hardware and resources of Wazuh and Elasticstack.
Cloud-hosted: our hosting services host the Wazuh Server and Elasticstack, for which we will make the maintenance, upgrades of the latest versions, Support will be included (standard or premium), for which only the customer tend to install the agents and we take care of the rest. In this case, the prices are calculated according to the amount of hot storage needed, which is the events that are available in the Web User Interface (and is therefore processed by the Wazuh Analysis engine), and the retention period that you might need and the cold storage will be unlimited for 1 year.
In terms of features, both options have the same features/capabilities.
Hope this helps.
Let me know if you have further questions.
Regards!
u/michaelroadman2 if you want you can try connecting agents and see how Wazuh works with the trial version of Wazuh cloud without having to install the server.
[root@template bin]# systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2021-11-18 16:06:30 EST; 1 weeks 1 days ago
Docs: https://www.elastic.co
Main PID: 62224 (java)
Tasks: 75
CGroup: /system.slice/elasticsearch.service
└─62224 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xs...
Nov 18 16:05:47 template.localdomain systemd[1]: Stopped Elasticsearch.
Nov 18 16:05:47 template.localdomain systemd[1]: Starting Elasticsearch...
Nov 18 16:06:30 template.localdomain systemd[1]: Started Elasticsearch.
Hi!
I am wondering why did you try to execute the python script on a different container, since I think that the best solution would be to run it inside the Wazuh container itself. Think of it as another part of the Wazuh manager, even if it is a custom one.
To do that you'd only have to either copy the script into the container or map a volume to the directory using -v path-to-script-in-host/script.py:/path-to-script-in-container/script.py
Then, by adding this configuration block to the /var/ossec/etc/ossec.conf file inside the Wazuh container -after adding your data- and restarting the service using service wazuh-manager restart the script will be executed every 24h
<wodle name="command">
<disabled>no</disabled>
<command>/path/to/script/office_365.py --contentType Audit.Exchange Audit.SharePoint DLP.All Audit.General Audit.AzureActiveDirectory --hours 24 --tenantId your_tenant_id --clientId your_client_id --clientSecret your_client_secret</command>
<interval>24h</interval>
<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>
As for the best execution interval, I'd say that it really depends on the size of the environment you are monitoring, but I think that a 1h interval would be fine for a small environment and it would allow you to always have the most recent information available in the dashboard.
Please take a look at this post too since it has a lot of information regarding O365 integration with Wazuh.
Hi. Both deployment methods you already tried (Wazuh all-in-one unattended installation script and Wazuh using Ansible) create certificates. In order to change these certificates for Kibana you need to edit /etc/kibana/kibana.yml and replace
server.ssl.certificate: "/etc/kibana/certs/kibana.pem" server.ssl.key: "/etc/kibana/certs/kibana-key.pem"
with the path to your certificate and certificate key (or, without changing the configuration, replace those files with yours using the same file names). The new certificate and key should be automatically loaded. You can also do a Kibana service restart.
To set up a Wazuh cluster with NGINX load balancer there's a blog post covering the basics and the configurations needed here: https://wazuh.com/blog/nginx-load-balancer-in-a-wazuh-cluster/
I hope this is of help,
Yes, Wazuh messages protocol uses AES encryption by default. Communication between agents and manager as well as communication between manager nodes in a cluster is encrypted in this way. You can read more about AES encryption in the communication between agents and manager here.
Hi u/linuxgfx, glad to read that everything is working now!
User contributions to our communities are the best donations we can have, thanks to this we can continue to improve this amazing project. I invite you to join our other channels in which you will be able to find several use cases from other users, participate in discussions, talk to our developers and contribute to the project. Thanks again for using Wazuh, have a great one! cheers!
Hi u/two_word_reptile! yes it is!.
You can install an agent on the endpoint that is hosting the files and you can track all the changes ( created, modified o deleted) files on an particular location. Inside of every event you can see the information of the changes that the file had, like:
- checksumbefore and after the change
- User that made the change
- Diff of the file
- Etc.
In here you can find more information about this module.
You can also monitor share folder acces , more info here.
Hope it helps!
Regards!
Hello u/raphl87,
​
You have done such a great analysis.
I agree with you because the disk size depends a lot on what you are monitoring and how much activity the monitored system has.
​
One thing to keep clear is the matter of EPS. It's more precise to seize the number of Alerts Per Seconds APS, these are which Wazuh stores by default (Lots of events are muted and they won't consume disk storage).
​
Finally to your question Wazuh has a calculator that could give you an approximation of what storage you will need but, as you mention you have to take into account that could differ from reality.
​
You can take a look at the calculator here -> https://wazuh.com/cloud/ (After the standard and premium offer the link that says `How much hot storage do I need?`).
​
I hope my answer helps you, thanks for your feedback.
Okey that does not provides too much information. Send back your ossec.conf (/var/ossec/etc/ossec.conf) and your ossec.log (/var/ossec/log/ossec.log)
I also recommend you join to the Wazuh slack channel to help you solve your doubts https://wazuh.com/community/join-us-on-slack/
Hi! sorry for the dealy, I made this alt account just for this and totally forgot, now after 17 days checking the inbox I see this.
You can join to our Slack channel from here: https://wazuh.com/community/join-us-on-slack/
But feel free to post any question here, several in the team are aware of this sub, and of course Reddit has much better discoverability than Slack, I'd hate spending time answering the same questions over and over on Slack when this sub could serve as a forum.