Connect an Alertflex collector (Altprobe)¶
Altprobe was tested under Ubuntu ver 16.04 and Centos 7 for Wazuh ver 3, ModSecurity 3.0 and Suricata ver 4.
- Open in Alertflex console a Project form and download SSL certificate
- Check the value of Project ref, later it will be required in
- Login to Alertflex Collector and download installation files.
$ git clone git://github.com/olegzhr/altprobe.git cd ./altprobe
- Fill in Altprobe specific parameters in
env.shfile and start installation.
$ chmod u+x install_ubuntu16.sh ./install_ubuntu16.sh
Broker.pemfile to directory
- Configure security sensors. Collector’s config file
/etc/altprobe/includes of several parameters for every sensor/IDS that allows remote management of IDS rules, blacklists, configs, and reading of alerts from sensor’s logs.
falco_log: "_falco_log" falco_redis: "altprobe_crs" falco_conf: "/etc/falco/" falco_rules: "/etc/falco/rules.d/" falco_local: "/etc/falco/rules.available/" modsec_log: "_modsec_log" modsec_redis: "altprobe_waf" modsec_conf: "/etc/nginx/modsec/" modsec_rules: "/usr/local/owasp-modsecurity-crs-3.0.2/" modsec_local: "/etc/nginx/modsec/rules/" suri_log: "_suri_log" suri_redis: "altprobe_nids" suri_conf: "/etc/suricata/" suri_rules: "/var/lib/suricata/rules/" suri_local: "/etc/suricata/rules/" wazuh_log: "_wazuh_log" wazuh_redis: "altprobe_hids" wazuh_conf: "/var/ossec/data/etc/" wazuh_rules: "/var/ossec/ruleset/" wazuh_local: "/var/ossec/data/etc/"
- Reboot system and after that check status of Altprobe
altprobe-start altprobe-stop altprobe-restart altprobe-status
Below, example usage of commands:
root@host:~# altprobe-status alertflex collector isn't running suricata start/running, process 1797 ossec-monitord is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild not running... ossec-execd is running... wazuh-modulesd is running... root@host:~# altprobe-start alertflex collector started with code 0 root@host:~# root@host:~# altprobe-status alertflex collector is running, process 19023 suricata start/running, process 1797 ossec-monitord is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild not running... ossec-execd is running... wazuh-modulesd is running...
How to check an Altprobe errors:
cat /var/log/syslog | grep altprobe
Connect a Elastic Beats¶
The Alertflex appliance can process Netflow and Syslog from network devices. To provide this functionality Alertflex integrates Logstash and Elastic Beats. On the client’s side, Filebeat (with modules Netflow and Syslog) or Packetbeat receive events from the network devices. On the Appliance side, Logstash receives Syslog and NetFlow from Beats and transmits it to Alertflex via ActiveMQ broker.
By default, the installation procedure of the appliance does not include the Logstash docker container. You can enable installation Logstash container in
env.sh file for the appliance.
For Netflow, Alertflex performs a reputation check of IP addresses and DNS records. Syslog events are processed by Alertflex as alerts. Both Netflow and Syslog events can be redirected by Alertflex to the Log Management platform.
- To connect Beats to Appliance, open in Alertflex console a Project form and download SSL certificate
alertflex.crtfile. Copy this file to Beats directory.
- Configure Beats to send Netflow and Syslog to appliance’s Logstash.
Example Filebeat config file:
filebeat.inputs: - type: syslog protocol.udp: host: "0.0.0.0:1514" - type: netflow max_message_size: 10KiB host: "0.0.0.0:2055" protocols: [ v5, v9, ipfix ] expiration_timeout: 30m queue_size: 8192 output.logstash: hosts: ["XXXX:5044"] ssl: certificate_authorities: ["./certs/alertflex.crt"]
Connect a Wazuh agent¶
By default (see
env.sh file), the installation procedure of the appliance includes the Wazuh manager docker container.
For installation instruction of Wazuh agent on the host refers to Wazuh documentation.
Creating of agents in Wazuh manager possible via Alertflex web console.
- Select any row in agents table and click right button of a mouse, select menu item Add agent
- Fill in agent-specific parameters in form Add agent
- After creating an agent, select the agent’s row and open menu item View key. The shown key will be used to connect the agent to the Wazuh manager.
- Fill in appliance hostname/IP address and the key as parameters in Wazuh agent (for Windows version of agent).