-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
8c600ef
commit 3461a35
Showing
31 changed files
with
13,538 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# CHANGELOG - wazuh | ||
|
||
<!-- towncrier release notes start --> | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,155 @@ | ||
# Agent Integration: wazuh | ||
|
||
## Overview | ||
|
||
[Wazuh][3] provides a comprehensive security solution that detects, analyzes, and responds to threats across multiple IT infrastructure layers. Wazuh collects telemetry from endpoints, network devices, cloud workloads, third-party APIs, and other sources for unified security monitoring and protection. | ||
|
||
This integration ingests the following types of logs: | ||
- **file-integrity-monitoring** : Events related to file changes like permission, content, ownership and attributes. | ||
- **malware-detector** : Rootcheck events generated by Wazuh for detecting any malware in system. | ||
- **vulnerability-detector** : Vulnerability events generated by Wazuh. | ||
- **system** : Events from services like FTPD, PAM, SSHD, syslog, Windows, dpkg, yum, along with internal events. | ||
- **docker** : Activity Events of docker container. | ||
- **github** : Events from audit logs from github organizations. | ||
- **google-cloud** : Security events related to google cloud platform services. | ||
- **amazon** : Security events from amazon AWS services. | ||
- **office365** : Security events related to office365. | ||
|
||
Visualize detailed insights into these logs through the out-of-the-box dashboards. | ||
|
||
## Setup | ||
|
||
### Installation | ||
|
||
To install the Wazuh integration, run the following Agent installation command and the steps below. For more information, see the [Integration Management][4] documentation. | ||
|
||
**Note**: This step is not necessary for Agent version >= 7.57.0. | ||
|
||
Linux command | ||
```shell | ||
sudo -u dd-agent -- datadog-agent integration install datadog-wazuh==1.0.0 | ||
``` | ||
|
||
### Configuration | ||
|
||
#### Logs collection | ||
|
||
1. Collecting logs is disabled by default in the Datadog Agent. Enable it in `datadog.yaml`: | ||
|
||
```yaml | ||
logs_enabled: true | ||
``` | ||
2. Add this configuration block to your `wazuh.d/conf.yaml` file to start collecting your logs. | ||
|
||
Use the UDP method to collect the wazuh alerts data. | ||
See the sample [wazuh.d/conf.yaml][6] for available configuration options. | ||
|
||
```yaml | ||
logs: | ||
- type: udp | ||
port: <PORT> | ||
source: wazuh | ||
service: wazuh | ||
``` | ||
**Note**: It is recommended not to change the service and source values, as these parameters are integral to the pipeline's operation. | ||
3. [Restart the Agent][2]. | ||
#### Configure syslog message forwarding from Wazuh | ||
1. Log in to the Wazuh UI. Navigate to the Left side Menu. | ||
2. Go to **Server management** > **Settings**. | ||
3. Click on **Edit configuration**. | ||
4. Add the following configuration block: | ||
In this example, all alerts are sent to 1.1.1.1 on port 8080 in JSON format. | ||
```xml | ||
<syslog_output> | ||
<server>1.1.1.1</server> | ||
<port>8080</port> | ||
<format>json</format> | ||
</syslog_output> | ||
``` | ||
* The `server` tag should contain the IP address where your Datadog Agent is running. | ||
* The `port` tag should contain the port on which your Datadog Agent is listening. | ||
Note: Using JSON format is required, since Wazuh pipeline parses JSON formatted logs only. | ||
5. Click the **Save** button. | ||
6. After saving, Click on the **Restart Manager** button. | ||
### Validation | ||
[Run the Agent's status subcommand][5] and look for `wazuh` under the Checks section. | ||
|
||
## Data Collected | ||
|
||
### Log | ||
|
||
| Format | Event Types | | ||
| --------- | -------------- | | ||
| JSON | file-integrity-monitoring, malware-detector, vulnerability-detector, system, github, docker, amazon, office365, google-cloud| | ||
|
||
### Metrics | ||
|
||
The Wazuh integration does not include any metrics. | ||
|
||
### Events | ||
|
||
The Wazuh integration does not include any events. | ||
|
||
### Service Checks | ||
|
||
The Wazuh integration does not include any service checks. | ||
|
||
## Troubleshooting | ||
|
||
**Permission denied while port binding:** | ||
|
||
If you see a **Permission denied** error while port binding in the Agent logs: | ||
|
||
1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command: | ||
```shell | ||
sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent | ||
``` | ||
|
||
2. Verify the setup is correct by running the `getcap` command: | ||
|
||
```shell | ||
sudo getcap /opt/datadog-agent/bin/agent/agent | ||
``` | ||
|
||
With the expected output: | ||
|
||
```shell | ||
/opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep | ||
``` | ||
|
||
**Note**: Re-run this `setcap` command every time you upgrade the Agent. | ||
|
||
3. [Restart the Agent][2]. | ||
|
||
**Data is not being collected:** | ||
|
||
Make sure that traffic is bypassed from the configured port if the firewall is enabled. | ||
|
||
**Port already in use:** | ||
|
||
- If you see the **Port <PORT_NUMBER> Already in Use** error, see the following instructions. The example below is for port 514: | ||
|
||
- On systems using Syslog, if the Agent listens for Wazuh logs on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. This error occurs because by default, Syslog listens on port 514. To resolve this error, take **one** of the following steps: | ||
- Disable Syslog. | ||
- Configure the Agent to listen on a different, available port. | ||
For further assistance, contact [Datadog support][1]. | ||
[1]: https://docs.datadoghq.com/help/ | ||
[2]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent | ||
[3]: https://wazuh.com/ | ||
[4]: https://docs.datadoghq.com/agent/guide/integration-management/?tab=linux#install | ||
[5]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information | ||
[6]: https://github.com/DataDog/integrations-core/blob/master/wazuh/datadog_checks/wazuh/data/conf.yaml.example |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
name: Wazuh | ||
files: | ||
- name: wazuh.yaml | ||
options: | ||
- template: logs | ||
example: | ||
- type: udp | ||
port: <PORT> | ||
source: wazuh | ||
service: wazuh |
Oops, something went wrong.