Wazuh 3.6.1

[dougburks]

Need the new OSSEC agent to parse EventChannel logs properly (for sysmon).

[adigiuseppe]

Hi Doug,

First off, huge thanks for a great NSM distro.

Is this standard OSSEC 2.9 or the Wazuh fork of OSSEC? If it's the plain old OSSEC, I'd suggest you check out what the Wazuh HIDS folks are doing to enhance OSSEC.

P.S. I have "upgraded" the Security 14.0.4.1 OSSEC in-place to the Wazuh fork of OSSEC 2.9 and it works correctly with ELSA, etc. I simply followed the steps here to install on top of the SO OSSEC: Installing Wazuh HIDS.

[dougburks]

Hi adigiuseppe,

This hasn't been implemented yet since OSSEC 2.9 hasn't been released. Once it is released, I'll take a look at standard OSSEC vs Wazuh.

[adigiuseppe]

OK, I ask because Wazuh is forked off the OSSEC 2.9 code branch already; they also contribute back to the upstream OSSEC project, I believe.

[dougburks]

Notes for packaging:

I think the default limit is the same as it was in 2.9.0 (2048 I believe). 
It is supposed to be changeable with `make MAXAGENTS=NUMBER` or 
probably `MAXAGENTS=NUMBER ./install.sh` 

https://groups.google.com/d/topic/ossec-list/xiVOGEBqTVg/discussion

[dougburks]

Another note for packaging:

ossec-server.conf should have local_rules.xml after securityonion_rules.xml to allow users to override defaults:
https://groups.google.com/d/topic/security-onion/m_pD9HidK_o/discussion

[dougburks]

https://twitter.com/danielcid/status/897958679378395136

[nicknomo]

I'd really like to see Wazuh in security onion. It already is integrated with the ELK stack, and it seems like you are headed there anyway. I'd love to see this in a future release of security onion.

[dougburks]

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/kfn9Yb3n0xw/discussion

[dougburks]

Published:
https://blog.securityonion.net/2018/10/wazuh-361-elastic-641-and-associated.html