Anyone here using Wazuh?
From my limited use, I'm a fan. Didn't take much to get setup, configured and rolled out in a hurry but outside of adding some active-response rules, I haven't really broken into the guts and really started utilizing it properly.
Anyone else have any wisdom/resources regarding Wazuh? The one issue I ran into off the bat was having trouble adding custom rules. I made sure the syntax was proper (via the docs) - try to save it and received an "Invalid XML syntax" - I copy/paste a pre-existing, stock install rule and it seems even if the syntax is proper, it says it's invalid. I managed to find some issues that were similar, but not quite the same on github issues/google groups but none of the fixes really applied to my situation.
Just hoping to see if anyone else has a little more experience and if you had any custom visualizations/dashboards setup, what that looks like (with proper redactions of course)
- Do you use Wazuh?18 votes
- Yes44.44%
- No22.22%
- Debian33.33%
Comments
tried, but sincerely, search for other SIEM alternative.
After an agonizing 5 days of configuring and so on, I said to myself, it must be another app that can do this more easely, or not be as complicated as this one.
The GUI is, well, not intuitive would be the word for it.
For me personally, it did not work out.
Host-C - VPS Services Provider - AS211462
"If there is no struggle there is no progress"
What'd you end up settling with?
Nothing, for the moment.
Host-C - VPS Services Provider - AS211462
"If there is no struggle there is no progress"
We use it at my office but I'm not involved in that project so I have no wisdom for you. Maybe I'll play with it though. I always enjoy when I know more about a subject than my InfoSec people.
someone call me?
Check it out! If you break anything, it's easy just to hit the eject button and the uninstall script takes care of everything.
If you do get things going - just make sure you back up your (working!) ossec.conf and and of your local_rules.xml to somewhere outside of your installation so if things go wrong, you can just replace the files, reboot your server and you can get back to it.
I finally got my syntax issue resolved and it's gravy now. Super straight forward to jump into and there's enough pre-defined rules of every sort that it's easy to find a base rule and customize out from there. I had tried snort awhile back but without installing graylog+kibana, it was pretty useless and with that software stack, it's not very lightweight.
What issues were you having with it exactly? I'm not a programmer by any means but the documentation is super thorough and I think I finally got the hang of it since posting.
I use both Stellarcyber & Wazuh. Wazuh has great features as free software. Stellarcyber is more powerful than Wazuh, the quality matches the price.
TrackWith - Free Privacy Focused Analytics
That's awesome to hear. Even better insight from someone who's used Wazuh and a paid solution.
Judging by the frequency of corporate IT buzzwords, an .ai domain and "request a quote" vs listed pricing, guessing the low tier license for Stellarcyber is a minimum of 5 figures?
I figured I'd give it a run and try and learn something new and I sure do feel more in control of what's going on with my servers and I'm really enjoying it so far.
Between Cyberstellar and Wazuh - how similar are they in terms of configuring/rule writing, etc..? I could see Wazuh being good for schools/non-profits/small business but obviously in a more corporate-type environment, you'd want to be able to pick up the phone and call someone if things go wrong. I actually found more support (from the issues I was running into) from Wazuh's google groups than I did on Github/Stackoverflow combined and that seemed kinda odd. I didn't even know google groups were a thing anymore.