Monitor your Wazuh stack using Telegraf + InfluxDB

Introduction

Wazuh stack architecture:

Monitoring agent: Telegraf 1.21.3.

Metrics Collector, TSDB: InfluxDB 2.x

Monitoring — Setup

Wazuh Manager.

General Metrics.

Telegraf settings:

General/system metrics are enabled by default in Telegraf config.

Wazuh Manager — Summary
Wazuh Manager — CPU
Wazuh Manager — Network

Processes (procstat for Wazuh manager processes).

Telegraf settings:

[[inputs.procstat]]

systemd_unit = “wazuh-manager.service”

include_systemd_children = true

Wazuh Manager — Process Metrics, Spawn Processes

Processes (procstat for filebeat process).

Telegraf settings:

[[inputs.procstat]]

systemd_unit = “filebeat.service”

include_systemd_children = true

Wazuh Manager — Process Metrics, Filebeat

Filebeat Input Module for Telegraf.

Filebeat HTTP Endpoint needs to be enabled so that filebeat can expose internal metrics. For security reasons the endpoint is disabled by default.

Filebeat Metrics:

Filebeat config (enabling HTTP endpoint):

#Filebeat HTTP Endpoint for Metrics

http.enabled: true

http.host: localhost

http.port: 5066

Telegraf config:

## Filebeat HTTP Endpoint Input

[[inputs.beat]]

url = “http://127.0.0.1:5066"

include = [“filebeat”]

Wazuh Manager — Filebeat Endpoint Metrics

ELK Stack.

We assume ELS and KIB installed in the same host.

General Metrics.

Processes (procstat for Elasticsearch and Kibana).

Telegraf config:

[[inputs.procstat]]

systemd_unit = “elasticsearch.service”

include_systemd_children = true

[[inputs.procstat]]

systemd_unit = “kibana.service”

include_systemd_children = true

ELS Input Module for Telegraf.

List of metrics available here

Telegraf config:

[[inputs.elasticsearch]]
servers = [“http://localhost:9200"]
http_timeout = “5s”
local = true
cluster_health = false
cluster_stats = false
cluster_stats_only_from_master = true
indices_include = [“_all”]
indices_level = “shards”
username = “”
password = “”
## Optional TLS Config
# tls_ca = “/etc/telegraf/ca.pem”
# tls_cert = “/etc/telegraf/cert.pem”
# tls_key = “/etc/telegraf/key.pem”
## Use TLS but skip chain & host verification
# insecure_skip_verify = false

ELASTICSEARCH — METRICS (I)
ELASTICSEARCH — METRICS (II)

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

--

--

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).