There is a pretty common scenario I've come across multiple times when I join a company. someones done a lot of hard work pulling all the log files into a central platform like ELK.. and then moved on to the next task...
Awesome, great job, well done you..
Somewhere on that business security checklist, it said: "centralise your logging" and the tech team head off and build a wonderful centralised logging solution pulling in syslogs from servers and logs from switches, routers, logs from web servers, event logs from Windows servers the lot into a centralised system.
This is totally what you should be doing, however, there is no point if you're not going to do anything other than post-disaster blame pointing (root cause analysis) with the data.
I would argue that the data you're getting out of these log files is richer and more worthwhile if used right than any monitoring solution. A monitoring solution is designed to tell you when it can or cannot see something it was expecting to see. Logs will tell you when something is about to happen, when it's happening when it happened and usually why it happened.
Analysing all this data however it time-consuming which is why there are tools to do the heavy lifting for you.
Wazuh is a self-hosted, agent-driven solution for pulling logs into itself and crunching the data provided to give you dashboard driven then deep dive information of what is happening on your systems.
Wazuh is a fork of https://www.ossec.net/ back in 2015 and the company are US-Based.
Wazuh consists of three main components: the agent, the server, and the Elastic Stack.
- The Wazuh lightweight agent is designed to perform a number of tasks with the objective of detecting threats and, when necessary, trigger automatic responses. It can run on many different platforms, including Windows, Linux, Mac OS X, AIX, Solaris and HP-UX. They can be configured and managed from the Wazuh server.
- The Wazuh server is in charge of analyzing the data received from the agents, processing events through decoders and rules, and using threat intelligence to look for well-known IOCs (Indicators Of Compromise). A single Wazuh server can analyze data from hundreds or thousands of agents, and scale horizontally when set up in cluster mode.
- Alerts generated by Wazuh are sent to Elasticsearch, where they are indexed and stored. The Wazuh Kibana plugin provides a powerful user interface for data visualization and analysis, that can also be used to manage and monitor the configuration and status of the agents.
Once installed and setup it provides a whole bunch of services
ELK and the Agents
ELK is the backbone of the service and during install, you can either install ELK as part of a standalone server solution or piggyback on an existing ELK install for a larger enterprise-level service.
For reference, I'm running Wazuh on my hone setup on a 4Gb, 2CPU, 320Gb Disk Proxmox virtual RHEL8 instance and it's dealing with 14 agents and 30 Syslog inputs fine.
The agents are installed on the endpoints/nodes you want to pull data in from and talk over TCP/1514 to the master Wazuh server. They pull in all the log data they can find on the node and push it into the ELK stack.
At the very least Wazuh provides you with an easy to update ELK stack and the Kibana interface to search logs and set up triggers out to mail or services like discord or slack.
However, the real power of a system like this is its help for ensuring compliance across your systems.
The main dashboard screen has several areas where it can provide reports and dashboarded output to let you know how compliant your systems are.
If I take Security events, this will show me that even though I patch my systems weekly, the lack of reboots is not providing me with the kernel updates I need to stop security issues (so I rebooted the servers and reduced these graphs)
If I needed to run a regular PCI-DSS audit on systems, with the agents installed and Wazuh running I get a far clearer picture of what I'd need to do to ensure I was passing that audit.
This is a short overview, I love that the software is free, there isn't a limit on the number of endpoints and it's scalable if I need it to be. Its self hosted (and I think available on AWS if that's your thing) so the data stays with me.
Anything which is providing me with this type of information is a worthwhile addition to my home setup.