Wazuh

Issue Description Azure sign-in logs (auditLogs/signIns) are processed by Wazuh manager and visible in alerts, but they don’t appear in the Wazuh Dashboard. This happens due to a field mapping conflict. The Error { "type": "mapper_parsing_exception", "reason": "failed to parse field [data.ms-graph.status] of type [keyword]" } Root Cause The status field in Azure logs contains a JSON object, but the Wazuh template expects it to be a keyword string. Solution Temporary Fix Edit the Wazuh template: sudo nano /etc/filebeat/wazuh-template.json Find the ms-graph section and update the status field: "ms-graph": { "properties": { "relationship": { "type": "keyword" }, "status": { "type": "object", "dynamic": true } } } Apply the template: filebeat setup --index-management -E setup.template.json.enabled=false Restart Filebeat: sudo systemctl restart filebeat Permanent Fix A permanent fix will be available in Wazuh 4.14 based on this PR: https://github.com/wazuh/wazuh/pull/30831 ...

Updating Wazuh Manager Permissions After Failed Upgrade If your Wazuh manager upgrade fails due to permission issues, you may need to check the files permissions/ownership if they are still using the old ossec user/group. Permission Update Commands Run these commands to correct ownership: # Change ossec user/group to wazuh find /var/ossec -group ossec -user ossec -exec chown wazuh:wazuh {} \; # Change root-owned files to wazuh group find /var/ossec -group ossec -user root -exec chown root:wazuh {} \; Notes: These commands recursively update ownership in the Wazuh directory ...

Running PowerShell Commands on a Wodle in Wazuh By executing PowerShell commands through a Wazuh Wodle and formatting the results in JSON, you can streamline log processing without the need for custom decoders. This method simplifies integration—only the corresponding rules need to be defined to handle the structured output effectively. PowerShell Command Format The recommended format for PowerShell commands in a Wodle is: Powershell -c "@{ <header> = <command> } | ConvertTo-Json -compress" <command> is the PowerShell cmdlet or one-liner script that outputs an object ...