Sources configuration


Connect an Alertflex collector (Altprobe)

Note

Altprobe was tested under Ubuntu ver 16.04 and Centos 7 for Wazuh ver 3, ModSecurity 3.0 and Suricata ver 4.

  • Open in Alertflex console a Project form and download SSL certificate Broker.pem file.
../_images/cert.png
  • Check the value of Project ref, later it will be required in env.sh file.
../_images/project-id.png
  • Login to Alertflex Collector and download installation files.
$ git clone git://github.com/olegzhr/altprobe.git
cd ./altprobe
  • Fill in Altprobe specific parameters in env.sh file and start installation.
$ chmod u+x install_ubuntu16.sh
./install_ubuntu16.sh
  • Copy Broker.pem file to directory /etc/altprobe/
  • Configure security sensors. Collector’s config file altprobe.yaml in folder /etc/altprobe/ includes of several parameters for every sensor/IDS that allows remote management of IDS rules, blacklists, configs, and reading of alerts from sensor’s logs.
falco_log: "_falco_log"
falco_redis: "altprobe_crs"
falco_conf: "/etc/falco/"
falco_rules: "/etc/falco/rules.d/"
falco_local: "/etc/falco/rules.available/"

modsec_log: "_modsec_log"
modsec_redis: "altprobe_waf"
modsec_conf: "/etc/nginx/modsec/"
modsec_rules: "/usr/local/owasp-modsecurity-crs-3.0.2/"
modsec_local: "/etc/nginx/modsec/rules/"

suri_log: "_suri_log"
suri_redis: "altprobe_nids"
suri_conf: "/etc/suricata/"
suri_rules: "/var/lib/suricata/rules/"
suri_local: "/etc/suricata/rules/"

wazuh_log: "_wazuh_log"
wazuh_redis: "altprobe_hids"
wazuh_conf: "/var/ossec/data/etc/"
wazuh_rules: "/var/ossec/ruleset/"
wazuh_local: "/var/ossec/data/etc/"
  • Reboot system and after that check status of Altprobe

Altpobe commands:

altprobe-start
altprobe-stop
altprobe-restart
altprobe-status

Below, example usage of commands:

root@host:~# altprobe-status

alertflex collector isn't running

suricata start/running, process 1797

ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
wazuh-modulesd is running...

root@host:~# altprobe-start
alertflex collector started with code 0
root@host:~#

root@host:~# altprobe-status

alertflex collector is running, process 19023

suricata start/running, process 1797

ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild not running...
ossec-execd is running...
wazuh-modulesd is running...

How to check an Altprobe errors:

cat /var/log/syslog | grep altprobe

Connect a Elastic Beats

The Alertflex appliance can process Netflow and Syslog from network devices. To provide this functionality Alertflex integrates Logstash and Elastic Beats. On the client’s side, Filebeat (with modules Netflow and Syslog) or Packetbeat receive events from the network devices. On the Appliance side, Logstash receives Syslog and NetFlow from Beats and transmits it to Alertflex via ActiveMQ broker.

Tip

By default, the installation procedure of the appliance does not include the Logstash docker container. You can enable installation Logstash container in env.sh file for the appliance.

Note

For Netflow, Alertflex performs a reputation check of IP addresses and DNS records. Syslog events are processed by Alertflex as alerts. Both Netflow and Syslog events can be redirected by Alertflex to the Log Management platform.

  • To connect Beats to Appliance, open in Alertflex console a Project form and download SSL certificate alertflex.crt file. Copy this file to Beats directory.
../_images/cert.png
  • Configure Beats to send Netflow and Syslog to appliance’s Logstash.

Example Filebeat config file:

filebeat.inputs:

- type: syslog
protocol.udp:
    host: "0.0.0.0:1514"

- type: netflow
  max_message_size: 10KiB
  host: "0.0.0.0:2055"
  protocols: [ v5, v9, ipfix ]
  expiration_timeout: 30m
  queue_size: 8192

output.logstash:
          hosts: ["XXXX:5044"]
          ssl:
    certificate_authorities: ["./certs/alertflex.crt"]

Connect a Wazuh agent

Tip

By default (see env.sh file), the installation procedure of the appliance includes the Wazuh manager docker container.

Note

For installation instruction of Wazuh agent on the host refers to Wazuh documentation.

Creating of agents in Wazuh manager possible via Alertflex web console.

  • Select any row in agents table and click right button of a mouse, select menu item Add agent
../_images/add-agent1.png
  • Fill in agent-specific parameters in form Add agent
../_images/add-agent2.png
  • After creating an agent, select the agent’s row and open menu item View key. The shown key will be used to connect the agent to the Wazuh manager.
../_images/add-agent3.png
  • Fill in appliance hostname/IP address and the key as parameters in Wazuh agent (for Windows version of agent).
../_images/add-agent4.png