After installing all T-Guard components, I accessed the IRIS dashboard to get the API key to integrate it with Wazuh (I will attach a picture of IRIS API key).
Then I accessed the ossec_config file in
[t-guard/wazuh/config/wazuh_cluster/wazuh_manager.conf] and added the API key of IRIS (I will attach a picture of my edited ossec_config file).
Then I executed step 7 [setup IRIS ↔ Wazuh Integration] in the GUI installation interface according to T-Guard documentation.
Note:
[Step 7 in the T-Guard documentation is actually step 8 in the current GUI installation interface I will attach a picture of this step in the current GUI installation interface below and the output of executing this step].
According to T-Guard documentation, I will see an alert in the IRIS INVESTIGATION section, but I don’t see the alert that was stated in the documentation (I will attach a picture of the alert stated in T-Guard documentation and a picture of my alerts in IRIS).
Also, I have one agent connected to my Wazuh dashboard, and no event related to this agent appears in IRIS (I will attach a picture of some event related to my agent).
Based on the image you provided above, there is an error message:
Error response from daemon: no such container: wazuh-wazuh.manager-1
It seems something has happened to your Wazuh manager container, possibly it is not active/running. You can do the following steps:
Check the active containers with the following command:
sudo docker ps
If the container is not listed, it means it is not running.
To start it, go to the wazuh directory and run this command:
sudo docker compose up -d
Check the running container again using the command in step 1. If the container is listed, then try to run the T-Guard setup and repeat step 8 in the GUI.
Note:
[I don’t know weither these containers ( wazuh_wazuh.manager_1) and ( wazuh-wazuh.manager-1) are refering to the same container.
Still, if they don’t refer to the same container I have executed sudo docker-compose down & sudo docker-compose up -d, there is not any new Wazuh container appearing.
]
Actually, this issue hasn’t been encountered before, but we are glad that you let us know this issue.
From the image you provided, we noticed a difference in the container naming in your system. Typically, the container name is “wazuh-wazuh.manager-1”, which is what our configuration script references. However, in your system, it appears as “wazuh_wazuh.manager_1.”
So, we suggest you to edit the setup.sh file and replacing all “wazuh-wazuh.manager-1” with “wazuh_wazuh.manager_1.”
I changed all container names in [setup.sh] from
“wazuh-wazuh.manager-1” to “wazuh_wazuh.manager_1 as descriped in the prvious reply. (See the picture of the edited setup.sh below )
Then I repeated step 8 in GUI, but I encountered multiple errors. (I recorded the output of executing step 8. I attached a link to the recorded video below ).
Also, I checked the IRIS dashboard and no alerts were there.
I have resolved the issue. It seems that my event level was lower than the level where Wazuh forwarded events to IRIS. Therefore, by changing the level to 0 in wazuh_manger.config, I was able to receive Wazuh event on IRIS.
did u get alerts without having an agent or doi make another machine as an agent and install the script and run the poc simulation part of the script only?
Following up on our previous discussion, our team has conducted an evaluation regarding this issue. Specifically, we installed the three agents on different machine:
We observed that alerts generated by the Windows agent aren’t reaching IRIS, even we already scaled down the “level” threshold to “0”.
But, the agent on Ubuntu Linux endpoints is successfully sending all the alerts to IRIS.
As for the Windows endpoint issue, our team is actively working on mitigating it, and we’ll make an announcement as soon as there’s an update about it.
Thank you for your continuous working to enhance T-Guard,
In the video below, I edited the ossec.conf file of the agent to monitor the desktop of my endpoint machine. I thought that my IRIS receives all alerts from Wazuh, but it seems that it gets only the alert of integrity change from my endpoint (Windows 11) desktop. Therefore, the issue of alerts was not solved.
Feel free to customize the alert rule group you want to send to IRIS according to your specific needs. For a comprehensive reference on all available rule groups in Wazuh, you can visit the following link: Wazuh Rule Groups.
You can found the group name in each ruleset there.