Monitor your Wazuh stack using Telegraf + InfluxDB

SOCFortress
3 min readFeb 10, 2022

Introduction

Wazuh stack architecture:

  • Wazuh Manager.
  • ELK stack (ELS, KIB, FILEBEAT).
  • Wazuh API.
  • Wazuh Agents

Monitoring agent: Telegraf 1.21.3.

Metrics Collector, TSDB: InfluxDB 2.x

Monitoring — Setup

  • Install InfluxDB in a VM/cloud instance.
  • Create organisation, bucket and API token for Telegraf.
  • Install Telegraf monitoring agent in all systems part of the Wazuh stack.
  • Apply telegraf settings.

Wazuh Manager.

General Metrics.

  • KERNEL
  • CPU
  • DISK
  • DISK I/O
  • MEMORY
  • NETWORK
  • PROCESSES
  • SWAP
  • SYSTEM

Telegraf settings:

General/system metrics are enabled by default in Telegraf config.

Wazuh Manager — Summary
Wazuh Manager — CPU
Wazuh Manager — Network

Processes (procstat for Wazuh manager processes).

  • python3
  • wazuh-analysisd
  • wazuh-authd
  • wazuh-db
  • wazuh-execd
  • wazuh-integratord
  • wazuh-logcollector
  • wazuh-modulesd
  • wazuh-monitord
  • wazuh-remoted
  • wazuh-syscheckd

Telegraf settings:

[[inputs.procstat]]

systemd_unit = “wazuh-manager.service”

include_systemd_children = true

Wazuh Manager — Process Metrics, Spawn Processes

Processes (procstat for filebeat process).

Telegraf settings:

[[inputs.procstat]]

systemd_unit = “filebeat.service”

include_systemd_children = true

Wazuh Manager — Process Metrics, Filebeat

Filebeat Input Module for Telegraf.

Filebeat HTTP Endpoint needs to be enabled so that filebeat can expose internal metrics. For security reasons the endpoint is disabled by default.

Filebeat Metrics:

  • events_active
  • events_added
  • events_done
  • harvester_closed
  • harvester_open_files
  • harvester_running
  • harvester_skipped
  • harvester_started
  • input_log_files_renamed
  • Input_log_files_truncated

Filebeat config (enabling HTTP endpoint):

#Filebeat HTTP Endpoint for Metrics

http.enabled: true

http.host: localhost

http.port: 5066

Telegraf config:

## Filebeat HTTP Endpoint Input

[[inputs.beat]]

url = “http://127.0.0.1:5066"

include = [“filebeat”]

Wazuh Manager — Filebeat Endpoint Metrics

ELK Stack.

We assume ELS and KIB installed in the same host.

General Metrics.

  • CPU
  • KERNEL
  • DISK
  • DISK I/O
  • MEMORY
  • NETWORK
  • PROCESSES
  • SWAP
  • SYSTEM

Processes (procstat for Elasticsearch and Kibana).

Telegraf config:

[[inputs.procstat]]

systemd_unit = “elasticsearch.service”

include_systemd_children = true

[[inputs.procstat]]

systemd_unit = “kibana.service”

include_systemd_children = true

ELS Input Module for Telegraf.

List of metrics available here

Telegraf config:

[[inputs.elasticsearch]]
servers = [“http://localhost:9200"]
http_timeout = “5s”
local = true
cluster_health = false
cluster_stats = false
cluster_stats_only_from_master = true
indices_include = [“_all”]
indices_level = “shards”
username = “”
password = “”
## Optional TLS Config
# tls_ca = “/etc/telegraf/ca.pem”
# tls_cert = “/etc/telegraf/cert.pem”
# tls_key = “/etc/telegraf/key.pem”
## Use TLS but skip chain & host verification
# insecure_skip_verify = false

ELASTICSEARCH — METRICS (I)
ELASTICSEARCH — METRICS (II)

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).