Solved Wazuh - operational and can add agents - now what

IRJ

@DustinB3403 said in Wazuh - operational and can add agents - now what:

@IRJ

Starting Wazuh manager...
env[11414]: 2019/12/11 13:57:27 ossec-analysisd: CRITICAL: rules_list: Signature ID '13202' not found. Invalid 'if_sid'.
env[11414]: ossec-analysisd: Configuration error. Exiting
systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1
systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Wazuh manager.

Does rule 13202 not exist? you should be able to find it in your rules folder under 0200-smbd_rules.xml file

DustinB3403

@Dashrender

Starting Wazuh manager...
 env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'.
 env[11593]: ossec-analysisd: Configuration error. Exiting
 systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1
 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
 systemd[1]: Failed to start Wazuh manager.

IRJ

@DustinB3403 said in Wazuh - operational and can add agents - now what:

@Dashrender

Starting Wazuh manager...
 env[11593]: 2019/12/11 15:11:32 ossec-analysisd: CRITICAL: rules_list: Signature ID '9999' not found. Invalid 'if_sid'.
 env[11593]: ossec-analysisd: Configuration error. Exiting
 systemd[1]: wazuh-manager.service: Control process exited, code=exited status=1
 systemd[1]: wazuh-manager.service: Failed with result 'exit-code'.
 systemd[1]: Failed to start Wazuh manager.

Oh I made a typo! Its supposed to be 13102

IRJ

@DustinB3403

This is how you verify rule ID numbers

Then you open the rule file

DustinB3403

@IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events.

In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?

DustinB3403

Or I guess an even better question is there some free training on wazuh? I did a very brief search and found a few things, but it's all over the place as to what may be useful.

IRJ

@DustinB3403 said in Wazuh - operational and can add agents - now what:

@IRJ so a lot of this works out of the box, one question I have is how the heck do I get the details of specific events.

In the below I specifically failed a login attempt a few times, How can I find out what client was attempting to login to this server and failed?

So you already filtered it. Just click discover on top right

IRJ

@DustinB3403 said in Wazuh - operational and can add agents - now what:

Or I guess an even better question is there some free training on wazuh? I did a very brief search and found a few things, but it's all over the place as to what may be useful.

Nope, I should make a course on Udemy, though

DustinB3403

@IRJ said in Wazuh - operational and can add agents - now what:

So you already filtered it. Just click discover on top right

Doh that is so easy that I didn't even think that was it.

IRJ

@DustinB3403 said in Wazuh - operational and can add agents - now what:

@IRJ said in Wazuh - operational and can add agents - now what:

So you already filtered it. Just click discover on top right

Doh that is so easy that I didn't even think that was it.

@DustinB3403