{"id":12380,"date":"2022-04-30T15:21:58","date_gmt":"2022-04-30T12:21:58","guid":{"rendered":"https:\/\/kifarunix.com\/?p=12380"},"modified":"2024-03-09T11:39:33","modified_gmt":"2024-03-09T08:39:33","slug":"integrate-suricata-with-wazuh-for-log-processing","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/integrate-suricata-with-wazuh-for-log-processing\/","title":{"rendered":"Integrate Suricata with Wazuh for Log Processing"},"content":{"rendered":"\n<p>Follow through this tutorial to learn how to integrate Suricata with Wazuh for log processing. With its ability to write its logs in YAML and JSON formats, Suricata can be integrated with other tools such as SIEMs, Splunk, Logstash\/Elasticsearch, Kibana for further logs processing and visualization. In this tutorial, we will see how you can easily integrated it with <a href=\"https:\/\/wazuh.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Wazuh<\/a>, an open-source <em>threat detection, security monitoring, incident response and regulatory compliance<\/em> tool to process the Suricata generated alerts for better monitoring and visualization network traffic.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Integrate Suricata with Wazuh for Log Processing<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Install and Setup Wazuh Server<\/h3>\n\n\n\n<p>To begin with, ensure that you have a Wazuh manager up and running. You can check the sample tutorials below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-wazuh-server-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Wazuh Server on Rocky Linux 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-wazuh-manager-on-ubuntu-22-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Configure Wazuh Manager on Ubuntu 22.04<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install and Setup Suricata<\/h3>\n\n\n\n<p>On the end point where you are monitoring Network traffic, install and configure Suricata. Sample tutorials<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-suricata-on-rocky-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup Suricata on Rocky Linux<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-suricata-on-ubuntu-22-04-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup Suricata on Ubuntu 22.04\/Ubuntu 20.04<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install Wazuh Agents<\/h3>\n\n\n\n<p>On the hosts where Suricata is installed and monitoring network traffic, install Wazuh agents.<\/p>\n\n\n\n<p>Wazuh agents are required to read and collect and push the Suricata alerts logs into Wazuh server\/manager for processing.<\/p>\n\n\n\n<p>Sample tutorials to install Wazuh agents;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-wazuh-agent-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Wazuh Agent on Rocky Linux 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/easy-way-to-install-wazuh-agents-on-ubuntu-debian\/\" target=\"_blank\" rel=\"noreferrer noopener\">Easy Way to Install Wazuh Agents on Ubuntu\/Debian<\/a><\/p>\n\n\n\n<p>In this tutorial, we have two agents connected;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/wazuh-agents.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1905\" height=\"679\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/wazuh-agents.png\" alt=\"How to Integrate Suricata with Wazuh for Log Processing\" class=\"wp-image-12432\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/wazuh-agents.png?v=1651306086 1905w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/wazuh-agents-768x274.png?v=1651306086 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/wazuh-agents-1536x547.png?v=1651306086 1536w\" sizes=\"(max-width: 1905px) 100vw, 1905px\" \/><figcaption>Wazuh agents<\/figcaption><\/figure><\/a><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Suricata Logging<\/h3>\n\n\n\n<p>By default, Suricata logs alerts to two different files;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>fast.log<\/code><\/strong>: which contains line based alerts log<\/li>\n\n\n\n<li><strong><code>eve.json<\/code><\/strong>: which stores the event logs in JSON format<\/li>\n<\/ul>\n\n\n\n<pre class=\"scroll-box\"><code># Configure the type of alert (and other) logging you would like.\noutputs:\n<strong>  - fast:\n      enabled: yes\n      filename: fast.log\n      append: yes<\/strong>\n\n  # Extensible Event Format (nicknamed EVE) event log in JSON format\n<strong>  - eve-log:\n      enabled: yes\n      filetype: regular\n      filename: eve.json<\/strong>\n...\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Wazuh Agent to Collect Suricata Logs<\/h3>\n\n\n\n<p>In order to be able to integrate Suricata with Wazuh, you need to configure Wazuh agent to read the Suricata EVE logs.<\/p>\n\n\n\n<p>The Suricata EVE log file is usually <code><strong>\/var\/log\/suricata\/eve.json<\/strong><\/code> by default.<\/p>\n\n\n\n<p>Thus, open the Wazuh agent configuration file for editing;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo vi \/var\/ossec\/etc\/ossec.conf<\/code><\/pre>\n\n\n\n<p>Add the lines below, just before the last line, <strong><code>&lt;\/ossec_config&gt;<\/code><\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>  &lt;localfile&gt;\n    &lt;log_format&gt;json&lt;\/log_format&gt;\n    &lt;location&gt;\/var\/log\/suricata\/eve.json&lt;\/location&gt;\n  &lt;\/localfile<\/strong>&gt;<\/code><\/pre>\n\n\n\n<p>This basically instructs Wazuh agent to collect Suricata EVE logs and push them to Wazuh manager for processing.<\/p>\n\n\n\n<p>Wazuh manager ships with preinstalled rules for processing Suricata EVE JSON logs by default. These rules are stored in the file <strong><code>\/var\/ossec\/ruleset\/rules\/0475-suricata_rules.xml.<\/code><\/strong><\/p>\n\n\n\n<pre class=\"scroll-box\"><code>&lt;!--\n  -  Suricata rules\n  -  Created by Wazuh, Inc.\n  -  Copyright (C) 2015-2020, Wazuh Inc.\n  -  This program is a free software; you can redistribute it and\/or modify it under the terms of GPLv2.\n--&gt;\n\n&lt;!-- ID: 86600 - 86699 --&gt;\n\n&lt;group name=\"ids,suricata,\"&gt;\n\n    &lt;!--\n    {\"timestamp\":\"2016-05-02T17:46:48.515262+0000\",\"flow_id\":1234,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"16.10.10.10\",\"src_port\":5555,\"dest_ip\":\"16.10.10.11\",\"dest_port\":80,\"proto\":\"TCP\",\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019236,\"rev\":3,\"signature\":\"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number\",\"category\":\"Attempted Administrator Privilege Gain\",\"severity\":1},\"payload\":\"abcde\",\"payload_printable\":\"hi test\",\"stream\":0,\"host\":\"suricata.com\"}\n    --&gt;\n    &lt;rule id=\"86600\" level=\"0\"&gt;\n        &lt;decoded_as&gt;json&lt;\/decoded_as&gt;\n        &lt;field name=\"timestamp\"&gt;\\.+&lt;\/field&gt;\n        &lt;field name=\"event_type\"&gt;\\.+&lt;\/field&gt;\n        &lt;description&gt;Suricata messages.&lt;\/description&gt;\n        &lt;options&gt;no_full_log&lt;\/options&gt;\n    &lt;\/rule&gt;\n\n    &lt;rule id=\"86601\" level=\"3\"&gt;\n        &lt;if_sid&gt;86600&lt;\/if_sid&gt;\n        &lt;field name=\"event_type\"&gt;^alert$&lt;\/field&gt;\n        &lt;description&gt;Suricata: Alert - $(alert.signature)&lt;\/description&gt;\n        &lt;options&gt;no_full_log&lt;\/options&gt;\n    &lt;\/rule&gt;\n\n    &lt;rule id=\"86602\" level=\"0\"&gt;\n        &lt;if_sid&gt;86600&lt;\/if_sid&gt;\n        &lt;field name=\"event_type\"&gt;^http$&lt;\/field&gt;\n        &lt;description&gt;Suricata: HTTP.&lt;\/description&gt;\n        &lt;options&gt;no_full_log&lt;\/options&gt;\n    &lt;\/rule&gt;\n\n    &lt;rule id=\"86603\" level=\"0\"&gt;\n        &lt;if_sid&gt;86600&lt;\/if_sid&gt;\n        &lt;field name=\"event_type\"&gt;^dns$&lt;\/field&gt;\n        &lt;description&gt;Suricata: DNS.&lt;\/description&gt;\n        &lt;options&gt;no_full_log&lt;\/options&gt;\n    &lt;\/rule&gt;\n\n    &lt;rule id=\"86604\" level=\"0\"&gt;\n        &lt;if_sid&gt;86600&lt;\/if_sid&gt;\n        &lt;field name=\"event_type\"&gt;^tls$&lt;\/field&gt;\n        &lt;description&gt;Suricata: TLS.&lt;\/description&gt;\n        &lt;options&gt;no_full_log&lt;\/options&gt;\n    &lt;\/rule&gt;\n\n&lt;\/group&gt;\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Restart Wazuh agent service<\/h3>\n\n\n\n<p>Before you can restart Wazuh agent, run the command below to check if any configuration syntax error;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo \/var\/ossec\/bin\/wazuh-syscheckd -t<\/code><\/pre>\n\n\n\n<p>exit status should be 0 if  no error. Otherwise, you will see a message about the error.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart wazuh-agent<\/code><\/pre>\n\n\n\n<p>Also ensure Suricata is running and monitoring traffic on the correct network interface.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Test Wazuh Suricata Log Processing<\/h3>\n\n\n\n<p>It is now time to test if Wazuh can actually read and process Suricata event logs.<\/p>\n\n\n\n<p>If Suricata is running on a live system with realtime traffic, there are high chances that you will sport the events related to network traffic on the respective Suricata server agent events.<\/p>\n\n\n\n<p>See sample screenshot below;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/sample-wazuh-suricata-events.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1905\" height=\"888\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/sample-wazuh-suricata-events.png\" alt=\"integrate Suricata with Wazuh for log processing\" class=\"wp-image-12433\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/sample-wazuh-suricata-events.png?v=1651320335 1905w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/sample-wazuh-suricata-events-768x358.png?v=1651320335 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/04\/sample-wazuh-suricata-events-1536x716.png?v=1651320335 1536w\" sizes=\"(max-width: 1905px) 100vw, 1905px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>That is evident enough to show that Wazuh is now collecting and processing Suricata events in realtime.<\/p>\n\n\n\n<p>That brings us to a close of our tutorial on how to process Suricata logs with Wazuh.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/detecting-malicious-files-with-wazuh-and-virustotal\/\" target=\"_blank\" rel=\"noreferrer noopener\">Detecting Malicious Files with Wazuh and VirusTotal<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/detect-changes-to-critical-files-in-linux-using-auditbeat-and-elk\/\" target=\"_blank\" rel=\"noreferrer noopener\">Detect Changes to Critical Files in Linux using Auditbeat and ELK<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follow through this tutorial to learn how to integrate Suricata with Wazuh for log processing. With its ability to write its logs in YAML and<\/p>\n","protected":false},"author":3,"featured_media":12434,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,72,34],"tags":[4965,318,4966,4964,4967],"class_list":["post-12380","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-monitoring","category-security","tag-integrate-wazuh-and-suricata","tag-suricata","tag-suricata-wazuh-integration","tag-suricata-and-wazuh","tag-suricata-eve-json","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12380"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=12380"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12380\/revisions"}],"predecessor-version":[{"id":20455,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12380\/revisions\/20455"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12434"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=12380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=12380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=12380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}