You've built some automations and a lot of cool stuff. I'd be interested in a demo video that just showcases all these in one sitting as if we were the SOC analysts at the console and to see some cases being worked from start to finish. No explanations of the back end or anything but just full on start to finish of case work in a real world scenario. That would be awesome to see it in action at the higher level.
This is so cool thank you for this. I ran into some snags following the written guide but the video cleared some things up. I am running this on Debian 12 and one of the issues is the lack of binaries for mongodb so I found a short guide on using Ubuntu binaries and it works. I am running this in an Xcp-ng VM and it looks like its all running smoothly. Now to tinker with wazuh and graylog.
Hey Taylor, is there anyway you can do a updated video? I've watch both this one and the previous version, and I'm still having issues. IDK if it's because there is Wazuh 4.9 now, or because there is a newer version of Graylog, but I'm unable to get past this setup of the SIEM stack and I've been working on it for almost two weeks now for a client. Any guidance or assistance would be lovely! Thanks for all you do!
FINALLY. After 7 times trying I finally got this up For those using proxmox make sure you run privileged containers on LXC and debian 11. Debian12 does not have a binary for Deb12 yet. I'm still having an issue with proxmox rewriting my hosts file upon each restart Looking forward to that API!
Always great content, however I’m not sure if you’re aware Taylor but if you are trying to use Graylog ingestion and indices and expect to use the Wazuh dashboard for alerts it doesn’t work. It breaks absolutely everything. Graylog secretly changes all the key pair fields to use an underscore whereas the Wazuh uses a dot in field names… 😢 -- Basically - Garlog does not allow "." characters in field names since version 2.0 of Elastic...Support has been restored since version 5.0. - However, Wazu is using forked Opensearch and they haven't changed this yet.... For compatibility, Graylog replaces "." with "_" silently - it doesn't matter what you put in your extractor.... So Wazuh (OpenSearch 2.4.1 which I have... confirmed) expects their fields to have a "." in them... So if you ingest your agent logs to Gralog - via Fluent-bit and connect it back to Wazuh Indexer (Opensearch 2.4.1 for Wazuh 4.4.0) the fields all have _ as the key separators in each field... So rule.id becomes rule_id and manager.name becomes manager_name - Wazuh dashboard becomes useless and doesn't display anything... This may not be a problem if you don't plan to use the Wazuh DashBoard for alerts and events like if you are using Grafana...
@@fxdtech No, once you stop using filebeat, you can use only graylog to analysis. There is a variable that you can test that is the responsible for this happens.
Yup just figured this crap out myself. compatibility.override_main_response_version: true is what allows filebeat to work for wazuh. But enabling this breaks graylog.
@@DeadlyDragon_ Im using grafana with wazuh, its awesome. I Separeted the clusters on several servers using docker, worker perfect and with no lag with all my 300 servers.
Just sent them an email and got a response back regarding this, The way we setup our SIEM stack Filebeat (Wazuh manager) is not involved in writing the events to Wazuh Indexer. The flow is Wazuh manager + FluentBit - Graylog - Wazuh Indexer. That also means that Wazuh dashboard is not used to visualise/analyse events, Grafana is used for that.
Thank you for the great video! I was able to follow along with just a few modifications on Debian 12. I made it all the way to the end but I'm not seeing any logs in Graylog even after reconnecting SSH. Any ideas?
hai tailor just want correcting your script in Medium in Certificate Deployment segment, the script is missing ".pem", overall thank you for your guidance
Hi guys i have "There are no results for selected time range. Try another one." - MITRE, Compilance. How can i fix it? I installed everything from tutorial the SOCFortress Way
Hey Taylor, awesome work. I was wondering if you could upload a video where we can integrate Wazuh with DFIR-IRIS via shuffle. Relatively same as Wazuh+Shuffle+TheHive+Cortex.
@Wahinies 1 day ago Thank you that explains why my vulnerability scans disappeared and now the index templates are FUBAR after the 4.7 upgrade. Is the best course of action to just redo without graylog to keep the wazuh dashboard useful? That is a great question as I just ran across this video tonight and started creating folders with bookmarks to some of the programs I didn't already have. This one Series I really do want to pursue and it'd be my first home lab test. However, if graylog dosen't work, how it's described in the video from May, 2023 that would be a bummer as one of my favorite YT streamers speaks highly of graylog and they use it for the many thousands of computers they are in charge of remotely in their IT business.
I have been having the issue with certificate while using their docker with OpenSearch's indexer docker. Hope this solves it. Will get back here if it resolves the issue
i had the same problem, but the problem were with my grafana user. Try to use the admin user from wazuh to connect with and it will work. I’m trying to deploy all my lab with docker and I am in the part to configure fluentbit with Wazuh master and worker logs created by volumes from wazuh docker composer.
@@fxdtech im working on it this week and i will share with you when i have all done. Im using taylor’s model to do this using only docker. I need to fix some issues about logs volumes from wazuh to map they inside fluentbit container. We talk soon as I done this new certs configuration from the video using docker.
@@CyberMayler Hey brother, just following up to see if you have made any progress on the docker deployment? I am still stumped and now chasing my tail. Also, I hope all has been well in your sector of the universe.
Any one please help me ,After installing the Wazuh Dashboard, I'm able to log in with admin credentials, but after that, I'm encountering an error: "Application Not Found. No application was found at this URL. Try going back or choosing an app from the menu," and nothing is displayed
I would like to say maybe you should cover some troubleshooting steps as not everyone will get through without errors. Your assuming it will just go smoothly.
Hi Taylor thnx for the great vids!! Since you dont use wazuh manager to ingest the firewall logs but Graylog, is there a way to get some alerts ore shuffle triggerd on certain firewall log events?
Hi Taylor, your content is excellent! HUGE thanks! 🤝 How can the same be done with docker? I am trying to separate each deployment of services into their own config file, to keep my eyes above water, perhaps I will be able to join all of this into a single docker-compose yaml including persistent volumes using NFS 😳 I foresee the use of nginx on the host, rather than a container for routing https traffic, but how can this be done, certificate-wise? I am building this for internal use, so I make use of an inrernal CA. So far I have not seen any videos describing a build with an internal CA, working and tested throughout. Could you show this to us newbie folk?
Can someone tell me, I'm using oracle VM, ubuntu 22.04, trying to install mongodb, and every time I get core-dump, apparently oracle can't work with avx. Can anyone tell me ?
On a fresh Ubuntu VPS, fresh install using docker, when trying to add a new agent, I then fill all the data, run the commands on the machines where agents suppose to run, nothing happens, if I press the refresh button it clears all options, if I go back to agents the list is empty. On agent machine I get this in the logs: wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[ip-address]:1515'
watching your series really has me motived to play around with some of this tech in my homelab. do you have a diagram to cover the full stack of tech used? summer holidays coming up!
Hey Taylor. Awesome videos. By the way. I'm new to wazuh and I don't know if ELK is not used anymore and now is replaced with wazu indexer or if ELK is also used with wazuh in other kind of environments. I'll appreciate you or anyone here can help with this.
Tried this multiple time, but sadly i get a connection error with.the wazuh dashboard.. seems it cant connect to opensearch.. so when logging into the web interface i get the message wazuh dasboard server is not ready yet.😢
how to fix the problem ? INFO: No current API selected INFO: Getting API hosts... INFO: API hosts found: 1 INFO: Checking API host id [default]... INFO: Could not connect to API id [default]: timeout of 20000ms exceeded INFO: Removed [navigate] cookie ERROR: No API available to connect you received the same error at 13:07
Mentioning the fact that you have to alter the information in your 'custom' config.yml under the [req_domain_name] from _your_ information to the default or our own would likely save people some headache. You should probably fix that link, since it kinda defeats the purpose of trying to help save time. Otherwise, great info!
On Wazuh I get this error. Any idea how to fix it, since are aren't using filebeat? Thanks. [Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*]
just my personal input but when i go to watch a video that has possible good info but the audio of the video is not well i skip to the another one with better audio. reverb city yo
. - unable to find valid certification path to requested target. 2024-05-30T00:33:37.262-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #344 2024-05-30T00:33:42.278-04:00 ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target. 2024-05-30T00:33:42.279-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #345 2024-05-30T00:33:47.301-04:00 ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target. 2024-05-30T00:33:47.301-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #346 2024-05-30T00:33:52.330-04:00 ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target. 2024-05-30T00:33:52.330-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #347 2024-05-30T00:33:57.353-04:00 ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target. 2024-05-30T00:33:57.354-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #348
i dont have files in /tmp/wazuh-certificates as tmp get deleted upon reboot how do I proceed further with this command openssl x509 -in wazuh-indexer01.socfortress.demo -text -noout and installation of graylog certs and its validation though it does store a copy to /certs but it is throwing connection error and my set domain and node server doesnt show up
You've built some automations and a lot of cool stuff. I'd be interested in a demo video that just showcases all these in one sitting as if we were the SOC analysts at the console and to see some cases being worked from start to finish. No explanations of the back end or anything but just full on start to finish of case work in a real world scenario. That would be awesome to see it in action at the higher level.
THIS.
May I suggest an audio upgrade. You can get a USB lavalier mic for under $10.
This is so cool thank you for this. I ran into some snags following the written guide but the video cleared some things up. I am running this on Debian 12 and one of the issues is the lack of binaries for mongodb so I found a short guide on using Ubuntu binaries and it works. I am running this in an Xcp-ng VM and it looks like its all running smoothly. Now to tinker with wazuh and graylog.
Great content. Your audio is lousy so maybe look into some sound foam or a better microphone or something. Thanks again for great content.
Hey Taylor, is there anyway you can do a updated video? I've watch both this one and the previous version, and I'm still having issues. IDK if it's because there is Wazuh 4.9 now, or because there is a newer version of Graylog, but I'm unable to get past this setup of the SIEM stack and I've been working on it for almost two weeks now for a client. Any guidance or assistance would be lovely! Thanks for all you do!
FINALLY.
After 7 times trying I finally got this up For those using proxmox make sure you run privileged containers on LXC and debian 11. Debian12 does not have a binary for Deb12 yet.
I'm still having an issue with proxmox rewriting my hosts file upon each restart Looking forward to that API!
bro thanks for the heads up i was just about to buil this on Debian 12 in proxmox.
What SSH connection manager are you using? Looks nifty
Taylor Walton, May I suggest you do a new video for Wazuh 4.8
Always great content, however I’m not sure if you’re aware Taylor but if you are trying to use Graylog ingestion and indices and expect to use the Wazuh dashboard for alerts it doesn’t work. It breaks absolutely everything. Graylog secretly changes all the key pair fields to use an underscore whereas the Wazuh uses a dot in field names… 😢 -- Basically - Garlog does not allow "." characters in field names since version 2.0 of Elastic...Support has been restored since version 5.0. - However, Wazu is using forked Opensearch and they haven't changed this yet....
For compatibility, Graylog replaces "." with "_" silently - it doesn't matter what you put in your extractor.... So Wazuh (OpenSearch 2.4.1 which I have... confirmed) expects their fields to have a "." in them... So if you ingest your agent logs to Gralog - via Fluent-bit and connect it back to Wazuh Indexer (Opensearch 2.4.1 for Wazuh 4.4.0) the fields all have _ as the key separators in each field... So rule.id becomes rule_id and manager.name becomes manager_name - Wazuh dashboard becomes useless and doesn't display anything... This may not be a problem if you don't plan to use the Wazuh DashBoard for alerts and events like if you are using Grafana...
Is there anything more on this? Is there a way around borking the underlying function of the wazuh platform? lol
@@fxdtech No, once you stop using filebeat, you can use only graylog to analysis. There is a variable that you can test that is the responsible for this happens.
Yup just figured this crap out myself. compatibility.override_main_response_version: true is what allows filebeat to work for wazuh. But enabling this breaks graylog.
@@DeadlyDragon_ Im using grafana with wazuh, its awesome. I Separeted the clusters on several servers using docker, worker perfect and with no lag with all my 300 servers.
Just sent them an email and got a response back regarding this,
The way we setup our SIEM stack Filebeat (Wazuh manager) is not involved in writing the events to Wazuh Indexer. The flow is Wazuh manager + FluentBit - Graylog - Wazuh Indexer.
That also means that Wazuh dashboard is not used to visualise/analyse events, Grafana is used for that.
Hi Taylor, excellent stuff always!! Please, are you able to share docker setup for latest wazuh with greylog
Excellent! TYSM, welcome back Taylor !
Thank you for the great video! I was able to follow along with just a few modifications on Debian 12. I made it all the way to the end but I'm not seeing any logs in Graylog even after reconnecting SSH. Any ideas?
Hey Taylor, thanks a lot for this video, i was stuck with graylog error due to version miss matching. you saved my job :)
Thanks a lot again.
same here
hai tailor just want correcting your script in Medium in Certificate Deployment segment, the script is missing ".pem", overall thank you for your guidance
Hi guys i have "There are no results for selected time range. Try another one." - MITRE, Compilance. How can i fix it? I installed everything from tutorial the SOCFortress Way
Hey Taylor, awesome work. I was wondering if you could upload a video where we can integrate Wazuh with DFIR-IRIS via shuffle. Relatively same as Wazuh+Shuffle+TheHive+Cortex.
Please make a video regarding how alerts are triggered in wazuh and how to investigate
@Wahinies 1 day ago
Thank you that explains why my vulnerability scans disappeared and now the index templates are FUBAR after the 4.7 upgrade. Is the best course of action to just redo without graylog to keep the wazuh dashboard useful?
That is a great question as I just ran across this video tonight and started creating folders with bookmarks to some of the programs I didn't already have. This one Series I really do want to pursue and it'd be my first home lab test. However, if graylog dosen't work, how it's described in the video from May, 2023 that would be a bummer as one of my favorite YT streamers speaks highly of graylog and they use it for the many thousands of computers they are in charge of remotely in their IT business.
I have been having the issue with certificate while using their docker with OpenSearch's indexer docker. Hope this solves it.
Will get back here if it resolves the issue
i had the same problem, but the problem were with my grafana user. Try to use the admin user from wazuh to connect with and it will work. I’m trying to deploy all my lab with docker and I am in the part to configure fluentbit with Wazuh master and worker logs created by volumes from wazuh docker composer.
@@CyberMayler would you be able to share you docker-compose file through a pastebin - I am stuck on the wazuh indexer graylog TLS/SSL communication
@@fxdtech im working on it this week and i will share with you when i have all done. Im using taylor’s model to do this using only docker. I need to fix some issues about logs volumes from wazuh to map they inside fluentbit container. We talk soon as I done this new certs configuration from the video using docker.
@@CyberMayler Hey brother, just following up to see if you have made any progress on the docker deployment? I am still stumped and now chasing my tail. Also, I hope all has been well in your sector of the universe.
@@fxdtech yes, I made progress. I can help you.
How do you use cloudflare tunnel with this?
Any one please help me ,After installing the Wazuh Dashboard, I'm able to log in with admin credentials, but after that, I'm encountering an error: "Application Not Found. No application was found at this URL. Try going back or choosing an app from the menu," and nothing is displayed
As always Great! Thank you for your work!
Hi taylor, wazuh won't run anymore
Can how show us how to forward Cisco router log to wazuh in another video?
man can you give me a roadmap to being a good analyst . to learn all these things , for an absolute beginner
What is the name of the ssh tool?
I have OpenSearch, Graylog and Wazuh manager EDR installed and working great, is it possible to install GUI for Wazuh EDR without Wazuh indexer ?
Do you mean the Wazuh-Dashboard?
how are you doing this ? but why i am facing error at every command. denied failed
I would like to say maybe you should cover some troubleshooting steps as not everyone will get through without errors. Your assuming it will just go smoothly.
Hi Taylor thnx for the great vids!! Since you dont use wazuh manager to ingest the firewall logs but Graylog, is there a way to get some alerts ore shuffle triggerd on certain firewall log events?
Hi Taylor, your content is excellent! HUGE thanks! 🤝 How can the same be done with docker? I am trying to separate each deployment of services into their own config file, to keep my eyes above water, perhaps I will be able to join all of this into a single docker-compose yaml including persistent volumes using NFS 😳 I foresee the use of nginx on the host, rather than a container for routing https traffic, but how can this be done, certificate-wise? I am building this for internal use, so I make use of an inrernal CA. So far I have not seen any videos describing a build with an internal CA, working and tested throughout. Could you show this to us newbie folk?
Excellent video, you helped me out to solve every issues that I have connecting graylog with Wazuh-Indexer. Great content man.
how do you solve the graylog connectivity error
I wonder what is the Server Sizing requirements, what will you put on which server or would you host all on different server?
Can someone tell me, I'm using oracle VM, ubuntu 22.04, trying to install mongodb, and every time I get core-dump, apparently oracle can't work with avx. Can anyone tell me ?
I'm facing this problem after completing 12:35 min from your video "Wazuh dashboard server is not ready yet" 😭😭
have you solved it ???
I have same problem
Is it possible to connect already running Wazuh-Indexer (installed with installation scripts) with graylog?
On a fresh Ubuntu VPS, fresh install using docker, when trying to add a new agent, I then fill all the data, run the commands on the machines where agents suppose to run, nothing happens, if I press the refresh button it clears all options, if I go back to agents the list is empty.
On agent machine I get this in the logs:
wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[ip-address]:1515'
watching your series really has me motived to play around with some of this tech in my homelab. do you have a diagram to cover the full stack of tech used? summer holidays coming up!
Hey Taylor. Awesome videos.
By the way. I'm new to wazuh and I don't know if ELK is not used anymore and now is replaced with wazu indexer or if ELK is also used with wazuh in other kind of environments. I'll appreciate you or anyone here can help with this.
Tried this multiple time, but sadly i get a connection error with.the wazuh dashboard.. seems it cant connect to opensearch.. so when logging into the web interface i get the message wazuh dasboard server is not ready yet.😢
For the live of me i cant seem to figure out why
Same problem here.. have you found any solution about it?
I had that issue. I modified the opensearch.yml with the server ip and left it at localhost:9200. I then restarted the service and it worked.
Much appreciated !!
thank you for this video.
The sound it bad :(
how to fix the problem ?
INFO: No current API selected
INFO: Getting API hosts...
INFO: API hosts found: 1
INFO: Checking API host id [default]...
INFO: Could not connect to API id [default]: timeout of 20000ms exceeded
INFO: Removed [navigate] cookie
ERROR: No API available to connect
you received the same error at 13:07
What terminal emulator program are you using?
That's Termius :-)
Mentioning the fact that you have to alter the information in your 'custom' config.yml under the [req_domain_name] from _your_ information to the default or our own would likely save people some headache. You should probably fix that link, since it kinda defeats the purpose of trying to help save time. Otherwise, great info!
On Wazuh I get this error. Any idea how to fix it, since are aren't using filebeat? Thanks.
[Alerts index pattern] No template found for the selected index-pattern title [wazuh-alerts-*]
I am getting the same error, were you able to solve this?
love your videos but... the audio man.. please. do smth with it.
just my personal input but when i go to watch a video that has possible good info but the audio of the video is not well i skip to the another one with better audio.
reverb city yo
aktifkan teks bro,,
No reply to even single comment... Great..
the temp/config.yml is empty
. - unable to find valid certification path to requested target.
2024-05-30T00:33:37.262-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #344
2024-05-30T00:33:42.278-04:00 ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target.
2024-05-30T00:33:42.279-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #345
2024-05-30T00:33:47.301-04:00 ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target.
2024-05-30T00:33:47.301-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #346
2024-05-30T00:33:52.330-04:00 ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target.
2024-05-30T00:33:52.330-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #347
2024-05-30T00:33:57.353-04:00 ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target.
2024-05-30T00:33:57.354-04:00 INFO [VersionProbe] Elasticsearch is not available. Retry #348
i dont have files in /tmp/wazuh-certificates as tmp get deleted upon reboot how do I proceed further with this command openssl x509 -in wazuh-indexer01.socfortress.demo -text -noout and installation of graylog certs and its validation though it does store a copy to /certs but it is throwing connection error and my set domain and node server doesnt show up
create another directory tmp2 and replace tmp with tmp2 in all the commands
got it thanks @@bikramsingh4813
[ConnectionError]: getaddrinfo ENOTFOUND wazuh-indexer01. this error WHYY