Your questions about the webinar Wazuh SIEM and XDR: Fast entry in Security Monitoring with Michael Münz from m.a.x. it

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

This article shows a selection of the asked questions of the webinar Wazuh SIEM and XDR: Fast entry in Security Monitoring with Michael Münz from m.a.x. it. The video in full-length can be found on the Thomas-Krenn Youtube channel.

How does Wazuh differ from Graylog?

  • Both make Syslog, but they do not have an agent.
  • Graylog is a Syslog server with a good graphical surface.

Does Wazuh also work with Trellix ENS and Trellix EDR?

Yes, it is possible with Trellix ENS, but the compatibility to EDR is not safe.

During the "Compliance Check" of german Windows PCs where the output of "net accounts .." is checked, the filter verifies only against english output. Are there any solutions?

  • You have to make such a Compliance Check on your own.
  • This is a lot of work, and those who have done it themselves are not sharing it.

The creation of the SIEM-UC or rules is quite complex. Is there a similar default-set to Mitre?

  • Unfortunately, there is no default-set

Training courses, support or initial setups were announced. Is there any further information?

Where is the difference between Monitoring via Zabbix and SIEM like Wazuh?

  • Zabbix monitors and not log files (that are generated by the systems) as it is the case with Wazuh.
  • Zabbix accesses the systems and provides metrics.
  • Zabbix is not initially made for logs.

Is the monitoring of a Palo Alto Firewall also possible?

  • Yes, this is possible. The log can be decoded.
  • There are not many rules.
  • In Wazuh, under Server Management Rules, search for Palo Alto.
  • A separate rule set is available for Palo Alto, but XML is still being converted to YAML.

At Wazuh, is there anything like the Common Information Model from Splunk so that a rule such as incorrect admin logins can be run across a wide variety of log sources via an abstraction layer?

  • Yes, this is possible. The incorrect login is noticed by a rule.
  • This can be solved also via groups in the filters.

Are there any reference implementations for Debian 13 "Trixie"?

  • Yes, this should function.

Are there prepared standard VM's?

  • There are OVA templates.
  • The instructions for Wazuh are quite helpful for this.

Is it possible to integrate Wazuh in Zabbix server so that the necessary data/events can be analyzed via the Zabbix agent that is already installed on the server/cluster system?

  • Yes, this is possible. You send the events to Zabbix.

Can i deinstall services/apps in Wazuh?

  • You can deactivate functions (for example Syscollector is not inventoried), but not deinstall.

Can i integrate own services that we have developed? There are also logs. Can I get help when creating the rules?

  • Yes, this is possible.
  • Support by experts of m.a.x. it is also possible.

Can I also connect Sophos Central?

  • Yes, this is supported by Wazuh.

Can the agents be rolled out automatically? Is there anything to note for the exchange between agent and Wazuh-server, for example encryption key?

  • You can secure it with passwords or certificates or roll it out per GPO.
  • There are many ways to roll out the agents.

Is it possible to monitor the network infrastructure not only via Syslog, but also via SNMP? Is this directly possible with Wazuh or is PRTG, for example, needed?

  • This is not possible directly and is not intended.
  • Wazuh works with logs and not with metrics.

Is it possible to set up Wazuh for testing purposes also as docker container?

  • It is possible, but only for testing purposes.

A little tip: create a GPO to log "Include command line in process creation events." This creates transparency for all executed CMDs or PowerShell commands in the Windows infrastructure.

  • This is a good tip. A lot is possible via GPO, for example the execution of Powershell commands.

Is it possible to connect/integrate Wazuh with Netbox?

  • Not native, but it is possible via script

Is service X running, how many users are logged in, can this be monitored?

  • Can be solved via research. If there is no result for the research "Anydesk", the service is not running.
  • You can also verify users that are logged in. This can be made via CDB lists.

Is it possible to log in agentless, for example a printer?

  • Everything that Syslog does can be verified.
  • For this, the rsyslog instructions together with Wazuh can be taken into consideration.

Is Wazuh worthwhile for VDI? So, run the agent on the clones?

  • Yes, this is possible to built in the agent into the Golden Image.

Is it helpful to integrate Wazuh and Graylog?

  • Yes, Graylog can be integrated in Wazuh.

Which performance impact should be expected when a Wazuh agent runs on Windows & Linux?

  • There are no large affections, approximately 5 per cent more load.

What can you do with the agent? So once you have taken over the Wazuh server, can you go further via the agent?

  • There was a recent case here where the rollout of an agent was performed in Windows using a Powershell command.
  • The Powershell script was manipulated so that the agent accepts commands from a compromised Wazuh server.

Wazuh consists of Indexer, server and dashboard. So once you have taken over the Wazuh server, can you go further via the agent?

  • Yes, this is possible. Even in the case of a high number of logs, Wazuh can run in a VM(with decent performance and storage space).

Which Syslog server can you recommend?

  • We recommend Rsyslog.

Which EDR can be used in combination with Wazuh?

  • Sentinel One, Bitdefender, Windows Defender, collecting local Windows Defender logs and evaluate it with Wazuh.
  • A lot of EDR solutions are supported and a web search can help here.

How good is Wazuh compared to Elastic SIEM?

  • This can not be answered.
  • It depends on the use cases.

We have a running nginx Proxy in Docker. Does the Wazuh Agent monitor nginx access logs automatically?

  • You can define in the agent which files should be monitored.
  • The nginx must be added.
  • A nginx Decoder is available for the logs.

We use Loki as central log. Can I parse the Loki logs with Wazuh (application logs, FW logs, etc...)? To what extent does the Wazuh Agent still make sense on the endpoints? Do I have to parse all logs of Endpoint-Enabled Agents twice?

  • You can also solve it without agents on the terminal device, for example via Sentinel One.
  • Logs can be splitted up if it should also be logged to Loki.

Are there any recommendations for the use of Wazuh?

  • You can install a VM for evaluating purposes, as the scalability is quite good via VM.
  • Up to 100 agents (dependent on the number of logs), then 8 cores and 16 GB RAM.
  • Desired log storage duration depends on the storage space.
  • 500 GB storage is approximately enough for 2 months for 100 agents.
  • In general, sizing Wazuh is always an individual consideration. We tried a kind of configurator but it is too complex.

Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.


Translator: Alina Ranzinger

Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.


Related articles

Adaptec RAID Monitoring Plugin setup
Show article
InfluxDB2 + Grafana Configuration of a metric server for Proxmox VE
Show article
LSI RAID Monitoring Plugin setup
Show article