Wazuh integration
Hi all,
i'm trying to integrate Crowdsec agents into Wazuh.
In my current config, my self-hosted CAPI outputs (with the file notifications plugin) in /tmp/crowdsec_alerts.json on Wazuh server.
The problem is: all records in Wazuh shows the agent.name of the Wazuh server not the agent where the alert was detected.
I tried to enable the file notification plugin on the agent to output in a local file that the Wazuh agent will read and forward to Wazuh manager, but the file is still empty, even when tweaking the filters in profiles.yaml (to make it trigger everytime).
I also tried to replace dynamically the agent.name and agent.ip in the filebeat wazuh module by parsing fields sent by Crowdsec agent but its not the correct result, the wazuh agent.name and agent.ip are inserted but not counting for this agent detected threats as i think Crowdsec agent is unaware of Wazuh agent identifier (id registered in wazuh).
Is there a correct method for this kind of setup ?
Is there a way to tell Crowdsec agent to do notification when an alert is sent to the CAPI, so that it can output in a local json that can be parsed by Wazuh agent ? (Like alerts output on agent where its triggered and decisions outputs on CAPI).
I'm trying hard to pull this but i think i miss an important part.
Thanks in advance for you help.
i'm trying to integrate Crowdsec agents into Wazuh.
In my current config, my self-hosted CAPI outputs (with the file notifications plugin) in /tmp/crowdsec_alerts.json on Wazuh server.
The problem is: all records in Wazuh shows the agent.name of the Wazuh server not the agent where the alert was detected.
I tried to enable the file notification plugin on the agent to output in a local file that the Wazuh agent will read and forward to Wazuh manager, but the file is still empty, even when tweaking the filters in profiles.yaml (to make it trigger everytime).
I also tried to replace dynamically the agent.name and agent.ip in the filebeat wazuh module by parsing fields sent by Crowdsec agent but its not the correct result, the wazuh agent.name and agent.ip are inserted but not counting for this agent detected threats as i think Crowdsec agent is unaware of Wazuh agent identifier (id registered in wazuh).
Is there a correct method for this kind of setup ?
Is there a way to tell Crowdsec agent to do notification when an alert is sent to the CAPI, so that it can output in a local json that can be parsed by Wazuh agent ? (Like alerts output on agent where its triggered and decisions outputs on CAPI).
I'm trying hard to pull this but i think i miss an important part.
Thanks in advance for you help.
