Has anyone tried Wazuh?: Page 2 - Enhance Control Panel

Has anyone tried Wazuh?

gmakhs

i wonder if https://github.com/google/cadvisor can help us also to find problematic websites?

netzen

The individual websites in Enhance do not run on Docker containers, but rather use cgroups for resource isolation. This means that cAdvisor, which is specifically designed to monitor Docker containers, wouldn't be directly applicable in this case. However, you can collect data from the cgroups using Vector and then send it to Wazuh for monitoring and visualization. That’s what I’m attempting to do. If I’m mistaken, please correct me 🙂

ivansalloum

@netzen Are you getting the diff command identified as a rootkit in Wazuh?

netzen

ivansalloum I've reviewed the logs from my Wazuh setup and checked for any mention of the diff command being flagged as a rootkit. However, I couldn't find any related alerts or detections. While it seems that Wazuh is not identifying it as a rootkit, I cannot say this with absolute certainty without further confirmation. Let me know if there are specific steps you'd recommend to verify this more thoroughly.

ivansalloum

netzen If you go to the Malware Detection section, do you see all these events regarding the diff command?

netzen

While I’m here, I’d like to report a milestone: I’ve successfully processed metrics for individual websites and am now planning to move on to the next steps 🙂

btraill

netzen

Great work, netzen! I may just spin up Wazuh again and give it another shot.

JohnB

netzen ohh this is nice. Any performance impact you've noticed?

gmakhs

netzen very intresting!! what logs did you used ?

netzen

JohnB The performance impact is minimal - both Wazuh agent and Vector typically use between 0-2% CPU when checking top. RAM usage is also very low, so you shouldn't notice any significant impact on your system.

ivansalloum

@netzen I checked their rootkit and trojan database and it is outdated. I tried using the signatures of Rootkit Hunter but they have different format. So I ignored the diff false positive by adding a custom rule with level 0 and now I'm integrating Rootkit Hunter with Wazuh to altert us whenever a rootkit is detected by adding a custom decoder and rule for it.

netzen

gmakhs I'm actually not using traditional logs - instead, I implemented a custom Vector configuration that collects container metrics directly from cgroups. It monitors CPU usage, memory consumption, and I/O rates for each container every 5 seconds using an exec source. This gives us real-time performance data for all website containers.

JohnB

@netzen Did you install the W.Server & W.Dashboard components on their own server(s) or alongside Enhance control panel?

netzen

JohnB I installed the Wazuh stack on a dedicated VM (4 cores, 8GB RAM) running on my Hetzner server with Proxmox. I wouldn't recommend installing it alongside the Enhance control panel - it's better to keep them separate to avoid any potential performance impacts or service interference between Wazuh and Enhance.

netzen

I'll share a guide with the configurations once I have everything well tested. I also want to try getting cPFence data into Wazuh. Will keep you posted 🙂

JohnB

netzen You're awesome, thanks

netzen

I'm starting to process first data from @cPFence in Wazuh. Are you interested in any specific data? Since I'm also new to cPFence, I currently have ModSecurity logs in Wazuh, and I'm thinking about what else might be useful. Thanks for your help 🙂

cPFence

netzen I'm starting to process first data from @cPFence in Wazuh. Are you interested in any specific data? Since I'm also new to cPFence, I currently have ModSecurity logs in Wazuh, and I'm thinking about what else might be useful. Thanks for your help

Here are some useful logs you can process in Wazuh:

Detected Viruses:
/var/log/cpfenceav/infections.history
Killed Queries:
/var/log/cpfenceav/killed_queries.history

IPDB Logs:

sudo tail -f /var/log/syslog | grep -E 'cPFence Blocked:|cPFence DDos Protection:'

Owl Logs:
sudo tail -f /opt/cpfence/app/owl/tmp/logs/main_log

You’ve done a great job so far. Good luck!.

netzen

cPFence Thanks, I'll try it this weekend.

netzen

cPFence Thank you for sharing these log locations! I already have IPDB and Owl logs successfully integrated and forwarding to Wazuh. Regarding the Detected Viruses and Killed Queries - these haven't been generated on my server yet, probably because nothing suspicious was detected 😊 Would you mind sending some example logs to info@netzen.cz? That would help me process and test the integration properly.

I'm making good progress with the Wazuh integration overall. In about 2-3 days, I should be ready to share my configurations with everyone. Thanks again for your help, and wishing you all the best!

manu

@netzen This is great. I tried Wazuh over the weekend too and your inputs are motivating! I will try setting up and see how it works for my use case! I will also post my learnings. I am able to work on Wazuh only on the weekends though thanks to the workload 🙂

« Previous Page Next Page »