indexing - KIBANA - WAZUH 模式索引

Question

我有一个项目要在 linux、AIX 和 windows 上将 wazuh 安装为 FIM。我设法在所有系统上安装了 Manager 和所有代理，我可以看到所有三个在 Kibana 网络上作为代理连接。

我在 linux 代理上创建了测试文件，我也可以在 Web 界面上找到它，因此服务器已连接。 这是在 wazuh 库存选项卡中找到的测试文件

但是，如果我修改此测试文件，我不会收到任何日志。

这是我在代理服务器上 syscheck 下的 ossec.conf 中的设置>

<directories>/var/ossec/etc/test</directories>
<directories report_changes="yes" check_all="yes" realtime="yes">/var/ossec/etc/test</directories>

现在我也在努力理解索引模式、索引模板和字段的含义。我不明白它们是什么以及为什么我们需要设置它。

我在管理服务器上的设置 - /usr/share/kibana/data/wazuh/config/wazuh.yml

alerts.sample.prefix: 'wazuh-alerts-*'
pattern: 'wazuh-alerts-*'

在 kibana 网络上，当我尝试检查 ,,events,, 时也出现此错误 - 事件中没有日志。

Error: The field "timestamp" associated with this object no longer exists in the index pattern. Please use another field.
    at FieldParamType.config.write.write (http://MYIP:5601/42959/bundles/plugin/data/kibana/data.plugin.js:1:627309)
    at http://MYIP:5601/42959/bundles/plugin/data/kibana/data.plugin.js:1:455052
    at Array.forEach (<anonymous>)
    at writeParams (http://MYIP:5601/42959/bundles/plugin/data/kibana/data.plugin.js:1:455018)
    at AggConfig.write (http://MYIP:5601/42959/bundles/plugin/data/kibana/data.plugin.js:1:355081)
    at AggConfig.toDsl (http://MYIP:5601/42959/bundles/plugin/data/kibana/data.plugin.js:1:355960)
    at http://MYIP:5601/42959/bundles/plugin/data/kibana/data.plugin.js:1:190748
    at Array.forEach (<anonymous>)
    at agg_configs_AggConfigs.toDsl (http://MYIP:5601/42959/bundles/plugin/data/kibana/data.plugin.js:1:189329)
    at http://MYIP:5601/42959/bundles/plugin/wazuh/4.2.5-4206-1/wazuh.chunk.6.js:55:1397640

谢谢你。

Answer 1

关于 FIM：

在这里您可以找到 FIM 文档以防万一： https ://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html https://documentation.wazuh .com/current/user-manual/reference/ossec-conf/syscheck.html。

这个工作的第一个要求是确保触发 FIM 警报，你能检查你经理的 alerts.json 文件吗？它通常位于 /var/ossec/logs/alerts/alerts.json 为了完全测试这一点，我将运行“tail -f /var/ossec/logs/alerts/alerts.json”并在 yout 目录中进行更改，如果没有生成警报，那么我们将需要检查代理配置。

关于索引：

在这里您可以找到一些文档： https ://www.elastic.co/guide/en/elasticsearch/reference/current/index-templates.html https://www.elastic.co/guide/en/kibana/current/管理索引模式.html#scripted-fields https://documentation.wazuh.com/current/user-manual/kibana-app/reference/elasticsearch.html

关于您的错误，解决此问题的最佳方法是删除索引。要做到这一点：去 Kibana -> Stack management -> index patterns and there delete wazuh-alerts-*. 然后如果你进入Wazuh App，健康检查将再次创建它，或者你可以按照这个来创建你的索引：去kibana -> stack management -> index pattern and select Create index pattern.

希望这些信息对您有所帮助。

问候。

Answer 2

谢谢您的回答。

我设法克服了这个问题，但我遇到了另一个错误。

当我检查时，tail -f /var/ossec/logs/alerts/alerts.json我得到了永无止境的更新，成千上万行错误之类的。

{"timestamp":"2022-01-31T12:40:08.458+0100","rule":{"level":5,"description":"Systemd：服务已进入失败状态，可能尚未启动。 ","id":"40703","firedtimes":7420,"mail":false,"groups":["local","systemd"],"gpg13":["4.3"],"gdpr": ["IV_35.7.d"]},"agent":{"id":"003","name":"MYAGENTSERVERNAME","ip":"XXXX"},"manager":{"name": "MYMANAGERSERVERNAME"},"id":"1643629208.66501653","full_log":"Jan 31 12:40:07 MYAGENTSERVERNAME systemd: Unit rbro-cbs-adapter-int.service 进入失败状态。","predecoder":{"program_name":"systemd","timestamp":"Jan 31 12:40:07","hostname":"MYAGENTSERVERNAME"},"decoder":{"name":"systemd"},"location":"/变量/日志/消息"}

但是，如果我更改受监控的文件，我也可以找到警报。（文件> wazuhtest）

{"timestamp":"2022-01-31T12:45:59.874+0100","rule":{"level":7,"description":"完整性校验和改变。","id":"550"," mitre":{"id":["T1492"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":1,"mail":false,"组":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1 .f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4", "PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"MYAGENTSERVERNAME","ip":"xxxx.x"},"manager":{"name":" MYMANAGERSERVERNAME"},"id":"1643629559.67086751","full_log":"文件 '/var/ossec/etc/wazuhtest' 已修改\n模式：实时\n已更改属性：大小、mtime、inode、md5、sha1、sha256\n大小从 '61' 更改为 '66'\n旧的修改时间是：'1643618571'，现在是 '1643629559'\n旧的 inode 是：'786558'，现在是 '786559'\n旧的 md5sum 是：'2dd5fe4d08e7c58dfdba76e55430ba57'\n新md5sum 是：'d8b218e9ea8e2da8e8ade8498d06cba8'\n旧 sha1sum 是：'ca9bac5a2d8e6df4aa9772b8485945a9f004a2e3'\n新 sha1sum 是：'bd8b8b5c20abfe08841aa4f5aaa1e72f54a46d31'\nOld sha256sum was: '589e6f3d691a563e5111e0362de0ae454aea52b7f63014cafbe07825a1681320'\nNew sha256sum is : '7f26a582157830b1a725a059743e6d4d9253e5f98c52d33863bc7c00cca827c7'\n","syscheck":{"path":"/var/ossec/etc/wazuhtest","mode":"realtime", "size_before":"61","size_after":"66","perm_after":"rw-r-----","uid_after":"0","gid_after":"0","md5_before" :"2dd5fe4d08e7c58dfdba76e55430ba57","md5_after":"d8b218e9ea8e2da8e8ade8498d06cba8","sha1_before":"ca9bac5a2d8e6df4aa9772b8485945a9f004a2e3","sha1_after":"bd8b8b5c20abfe08841aa4f5aaa1e72f54a46d31","sha256_before":"589e6f3d691a563e5111e0362de0ae454aea52b7f63014cafbe07825a1681320","sha256_after":"7f26a582157830b1a725a059743e6d4d9253e5f98c52d33863bc7c00cca827c7","uname_after":"root","gname_after":"root","mtime_before":"2022-01-31T09:42:51","mtime_after" :"2022-01-31T12:45:59","inode_before":786558,"inode_after":786559,"diff":"1c1\n< dadadadadad\n---\n> dfsdfdadadadadad\n","changed_attributes ":["size","mtime","inode","md5","sha1","sha256"],"event":"modified"},"decoder":{"name":"syscheck_integrity_changed"} “位置”：“系统检查”} {“时间戳”："2022-01-31T12:46:08.452+0100","rule":{"level":3,"description":"日志文件旋转。","id":"591","firedtimes":5, "mail":false,"groups":["ossec"],"pci_dss":["10.5.2","10.5.5"],"gpg13":["10.1"],"gdpr":[" II_5.1.f","IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9"],"tsc":["CC6.1" ,"CC7.2","CC7.3","PI1.4","PI1.5","CC7.1","CC8.1"]},"代理":{"id":"003 ","name":"MYAGENTSERVERNAME","ip":"xxxx.x"},"manager":{"name":"MYMANAGERSERVERNAME"},"id":"1643629568.67099280","full_log":"ossec: 文件旋转（inode 已更改）：'/var/ossec/etc/wazuhtest'。","decoder":{"name":"ossec"},"location":" wazuh-logcollector"}

我也可以在管理服务器上的消息日志中看到此警报>

1 月 31 日 12:46:10 MYMANAGERSERVERNAME filebeat[186670]: 2022-01-31T12:46:10.379+0100#011WARN#011[elasticsearch]#011elasticsearch/client.go:405#011Cannot index event publisher.Event{Content:beat .Event{Timestamp:time.Time{wall:0xc07610e0563729bf, ext:10888984451164, loc:(*time.Location)(0x55958e3622a0)}, Meta:{"pipeline":"filebeat-7.14.0-wazuh-alerts-pipeline" }，字段：{"agent":{"ephemeral_id":"dd9ff0c5-d5a9-4a0e-b1b3-0e9d7e8997ad","hostname":"MYMANAGERSERVERNAME","id":"03fb57ca-9940-4886-9e6e-a3b3e635cd35", "name":"MYMANAGERSERVERNAME","type":"filebeat","version":"7.14.0"},"ecs":{"version":"1.10.0"},"event":{"dataset ":"wazuh.alerts","模块":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name ":"MYMANAGERSERVERNAME"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"} ,"offset":127261462},"message":"{"timestamp":"2022-01-31T12:46:08.452+0100","rule":{"level":3,"description":"日志文件旋转。","id":"591","firedtimes":5,"mail":false,"groups":["ossec"],"pci_dss":["10.5.2","10.5.5" ],"gpg13":["10.1"],"gdpr":["II_5.1.f","IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9"],"tsc":["CC6.1","CC7.2"," CC7.3","PI1.4","PI1.5","CC7.1","CC8.1"]},"agent":{"id":"003","name":"xlcppt36 ","ip":"10.74.96.34"},"manager":{"name":"MYMANAGERSERVERNAME"},"id":"1643629568.67099280","full_log":"ossec: 文件旋转（inode 已更改）：' /var/ossec/etc/wazuhtest'.","decoder":{"name":"ossec"},"location":"wazuh-logcollector"}","service":{"type":"wazuh" }}, Private:file.State{Id:"native::706-64776", PrevId:"", 完成：false, Fileinfo:(*os.fileStat)(0xc00095ea90), Source:"/var/ossec/logs/alerts/alerts.json", Offset:127262058, Timestamp:time.Time{wall:0xc076063e1f1b1286, ext:133605185, loc :(*time.Location)(0x55958e3622a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x2c2, Device:0xfd08}, IdentifierName :"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"illegal_argument_exception","re​​ason": "data_stream [<wazuh-alerts-4.x-{2022.01.31||/d{yyyy.MM.dd|UTC}}>] 不得包含以下字符 [ , ", *, \, <, |, ,, >, /, ?]"}0xc076063e1f1b1286, ext:133605185, loc:(*time.Location)(0x55958e3622a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x2c2 , Device:0xfd08}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"非法参数异常","原因":"数据流 [<wazuh-alerts-4.x-{2022.01.31||/d{yyyy.MM.dd|UTC}}>] 不得包含以下字符 [ , ", * , \, <, |, ,, >, /, ?]"}0xc076063e1f1b1286, ext:133605185, loc:(*time.Location)(0x55958e3622a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x2c2 , Device:0xfd08}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"非法参数异常","原因":"数据流 [<wazuh-alerts-4.x-{2022.01.31||/d{yyyy.MM.dd|UTC}}>] 不得包含以下字符 [ , ", * , \, <, |, ,, >, /, ?]"}MapStr(nil)}} (status=400): {"type":"illegal_argument_exception","re​​ason":"data_stream [<wazuh-alerts-4.x-{2022.01.31||/d{yyyy.MM. dd|UTC}}>] 不能包含以下字符 [ , ", *, \, <, |, ,, >, /, ?]"}MapStr(nil)}} (status=400): {"type":"illegal_argument_exception","re​​ason":"data_stream [<wazuh-alerts-4.x-{2022.01.31||/d{yyyy.MM. dd|UTC}}>] 不能包含以下字符 [ , ", *, \, <, |, ,, >, /, ?]"}

这是输出表单应用程序检查。

curl "http://localhost:9200"
{

  "version" : {
    "number" : "7.14.2",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "6bc13727ce758c0e943c3c21653b3da82f627f75",
    "build_date" : "2021-09-15T10:18:09.722761972Z",
    "build_snapshot" : false,
    "lucene_version" : "8.9.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

文件节拍测试输出

弹性搜索：http: //127.0.0.1 :9200 ... 解析 url...OK 连接...解析主机...OK dns 查找...OK 地址：127.0.0.1 拨号...OK TLS...WARN 禁用安全连接与服务器对话...OK 版本： 7.14.2

所以..我可以看到来自代理的警报，但它还没有到达 Kibana。在 kibana 网络上，我可以看到代理处于活动状态并已连接。