Security Onion no longer coming with Wazuh? #9684
-
|
Hello all., I have worked qith Wazuh quite a bit recently and have been looking to migrate over to using Security Onion. In the current docs I see that Security Onion will no longer be coming with Wazuh included. My ask here is, will wazuh agents still be supported and we just need to supply Security Onion with a wazuh instance seperately? Or will this be handled through some other 3rd party agent that we ship syslog with? Still a Wazuh / SecOnion noob here, so any insight is appreciated. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
Here is the section that states Wazuh won't be included with SO 2.4 I've also been using Ossec/Wazuh on all our systems since 2016! I've found it's incredibly helpful in gathering and viewing Windows issues. Please advise as to what tool will be replacing this function. I for one don't really care what the tools are, as long as we're still able to collect Windows logs. |
Beta Was this translation helpful? Give feedback.
-
|
Is Winlogbeat (Beats) what's replacing Wazuh? I'm reading the Docs and it says that Forward Nodes don't ingest FileBeat traffic so the Agent must send their data all the way to the Manager directly. This is not ideal in a distributed environment, and also the traffic is not encrypted by default. This is pretty much the reason I like Wazuh over Winlogbeat. The other options (Syslog and Sysmon) seem to use Winlogbeat as their transfer protocol, so it's looking like Winlogbeat is what we're working with moving forward. Could one of the SO Maintainers please chime in on this? If we need to modify our distributed environment in order to upgrade to 2.4 we'd like to plan ahead with accurate info. Thanks team! |
Beta Was this translation helpful? Give feedback.
-
|
We have a detailed blog post being released soon that will go into the 2.4 changes. There are 2 different ports in SO 2.3 for beats traffic. The default beats port is 5044 which by default does not use ssl but can be configured to do so. 5644 is the beats port that is used for SO related beats from the sensors. This uses cert verification and ssl. If you pull the appropriate certificates from so and use them with winlogbeat you can send encrypted to 5644. Or you can configure the default 5044 to use your in house certificates. This was done on purpose to allow maximum flexibility to the end user. |
Beta Was this translation helpful? Give feedback.
-
|
I have managed to move our entire environment over to sysmon / winlogbeats, and have all the traffic encrypted by deploying certs and specifying their use in the various config files. The documentation doesn't really paint the picture complete to make this work but it can be done with some effort/trial/error. I can't complain I rarely document anything I do as well as I should. The nice thing about the winlogbeat/sysmon deployment is that I was able to push all relevant files/certs/apps/config to the computers using pretty basic (easy enough for me to figure out) strategies. I think I have a robocopy script to keep files in a certain path consistent with my config changes and then some app deployment using intune and some service activation using a gpo. What's nice about this, is a very streamlined onboarding/provisioning process for new computers in the environed. it's effectively automated at this point. The system provisioned only need assign the computer to the appropriate OU and Intune security groups and I'll start collecting logs within a few hours. I never was able to sort out an -working- easy way to deploy wazuh. Unfortunately, with wazuh out of the picture, I'm no longer seeing alerts for certain activity that used to generate alerts, like software installation activity. wazuh also did some nice basic configuration compliance checkups and produced alerts for review that helped set some baselines for what we could expect and what to look for if something changed. I wish there was a way to get some of that capability back, especially the software install alerting, for winlogbeat. I'm sure there's some way to modify our SO install to do this, but it's probably complicated and prone to being wiped by updates. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
Take a look at the new Security Onion 2.4 with Elastic Agent!
https://blog.securityonion.net/2023/08/security-onion-24-has-reached-general.html
https://docs.securityonion.net/en/2.4/elastic-agent.html
https://docs.securityonion.net/en/2.4/elastic-fleet.html
https://docs.securityonion.net/en/2.4/elastic-fleet.html#adding-an-integration
https://docs.elastic.co/integrations/fim