C
CrowdSec5w ago
[MJ] Majes

Wazuh integration

Hi all, i'm trying to integrate Crowdsec agents into Wazuh. In my current config, my self-hosted CAPI outputs (with the file notifications plugin) in /tmp/crowdsec_alerts.json on Wazuh server. The problem is: all records in Wazuh shows the agent.name of the Wazuh server not the agent where the alert was detected. I tried to enable the file notification plugin on the agent to output in a local file that the Wazuh agent will read and forward to Wazuh manager, but the file is still empty, even when tweaking the filters in profiles.yaml (to make it trigger everytime). I also tried to replace dynamically the agent.name and agent.ip in the filebeat wazuh module by parsing fields sent by Crowdsec agent but its not the correct result, the wazuh agent.name and agent.ip are inserted but not counting for this agent detected threats as i think Crowdsec agent is unaware of Wazuh agent identifier (id registered in wazuh). Is there a correct method for this kind of setup ? Is there a way to tell Crowdsec agent to do notification when an alert is sent to the CAPI, so that it can output in a local json that can be parsed by Wazuh agent ? (Like alerts output on agent where its triggered and decisions outputs on CAPI). I'm trying hard to pull this but i think i miss an important part. Thanks in advance for you help.
6 Replies
CrowdSec
CrowdSec5w ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
CrowdSec
CrowdSec5w ago
Resolving Wazuh integration This has now been resolved. If you think this is a mistake please run /unresolve Unresolving Wazuh integration This has now been unresolved.
iiamloz
iiamloz5w ago
I tried to enable the file notification plugin on the agent to output in a local file that the Wazuh agent will read and forward to Wazuh manager, but the file is still empty, even when tweaking the filters in profiles.yaml (to make it trigger everytime).
Alerts are not processed on the agent nodes only on the central LAPI so they will never fill those files If you want to be able to see which machine triggered the alert there is a machine_id property within the alert data which is the name registered to the LAPI
iiamloz
iiamloz5w ago
example

alert.json

[MJ] Majes
[MJ] MajesOP5w ago
Hi @iiamloz, thanks for you help, i'll try to use parse machine_id then. Have a great day 🙂
CrowdSec
CrowdSec5w ago
Resolving Wazuh integration This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?