IRIS does not receive alerts from WAZUH

After installing all T-Guard components, I accessed the IRIS dashboard to get the API key to integrate it with Wazuh (I will attach a picture of IRIS API key).


Then I accessed the ossec_config file in
[t-guard/wazuh/config/wazuh_cluster/wazuh_manager.conf] and added the API key of IRIS (I will attach a picture of my edited ossec_config file).

Then I executed step 7 [setup IRIS ↔ Wazuh Integration] in the GUI installation interface according to T-Guard documentation.

Note:

[Step 7 in the T-Guard documentation is actually step 8 in the current GUI installation interface I will attach a picture of this step in the current GUI installation interface below and the output of executing this step].



According to T-Guard documentation, I will see an alert in the IRIS INVESTIGATION section, but I don’t see the alert that was stated in the documentation (I will attach a picture of the alert stated in T-Guard documentation and a picture of my alerts in IRIS).


Also, I have one agent connected to my Wazuh dashboard, and no event related to this agent appears in IRIS (I will attach a picture of some event related to my agent).

Note:

[I am using an Ubuntu 22.04 virtual machine installed on VirtualBox to do the setup].

Could you please help me to debug the issue?

I have been trying to solve the issue for a while, but no promising result.

Hi, Faris!

Based on the image you provided above, there is an error message:

Error response from daemon: no such container: wazuh-wazuh.manager-1

It seems something has happened to your Wazuh manager container, possibly it is not active/running. You can do the following steps:

  1. Check the active containers with the following command:
sudo docker ps

If the container is not listed, it means it is not running.

  1. To start it, go to the wazuh directory and run this command:
sudo docker compose up -d
  1. Check the running container again using the command in step 1. If the container is listed, then try to run the T-Guard setup and repeat step 8 in the GUI.

We hope this helps.

Thank you!

Thank you for your reply,

wazuh_wazuh.manager_1 is actually running. This picture shows all the running containers.

Then I executed [Setup IRIS ↔ Wazuh Integration] again, but the same issue was present. See the picture below.

Note:
[I don’t know weither these containers ( wazuh_wazuh.manager_1) and ( wazuh-wazuh.manager-1) are refering to the same container.

Still, if they don’t refer to the same container I have executed sudo docker-compose down & sudo docker-compose up -d, there is not any new Wazuh container appearing.
]

Thank you for your update.

Actually, this issue hasn’t been encountered before, but we are glad that you let us know this issue.

From the image you provided, we noticed a difference in the container naming in your system. Typically, the container name is “wazuh-wazuh.manager-1”, which is what our configuration script references. However, in your system, it appears as “wazuh_wazuh.manager_1.”

So, we suggest you to edit the setup.sh file and replacing all “wazuh-wazuh.manager-1” with “wazuh_wazuh.manager_1.”

Then, you can repeat step 8 in GUI.

We hope this helps.

Thank you!

I appreciate your reply.

I changed all container names in [setup.sh] from
“wazuh-wazuh.manager-1” to “wazuh_wazuh.manager_1 as descriped in the prvious reply. (See the picture of the edited setup.sh below )

Then I repeated step 8 in GUI, but I encountered multiple errors. (I recorded the output of executing step 8. I attached a link to the recorded video below ).

Also, I checked the IRIS dashboard and no alerts were there.

Thanks for your update, Faris.

From your video, we noticed that when the system performs updates, it mentions “ubuntu focal” and “ubuntu 20.04” at the package name.

Please check your Ubuntu version to make sure you are using ubuntu version 22.04 by this command:

lsb_release -d

And let us know your update.

Thank you!

In the recording below, I tried to generate a new IRIS API and do the integration of IRIS and Wazuh again. Still, no alert issue exists.

Note:
[This recording was on another Ubuntu 22.04 machine]

I have resolved the issue. It seems that my event level was lower than the level where Wazuh forwarded events to IRIS. Therefore, by changing the level to 0 in wazuh_manger.config, I was able to receive Wazuh event on IRIS.

Thank you for your continuous help

Hi, Faris!

Thank you for the update! We’re glad that your issue has been resolved.

This issue will be considered in the development of T-Guard.

If you need further assistance, please feel free to reach out. We’re always here to help!

Best regards, T-Guard Team

1 Like

did u get alerts without having an agent or doi make another machine as an agent and install the script and run the poc simulation part of the script only?

Hello aboodedaboss,

I had one agent installed on my Windows 11.

wish that was useful.

Hello, everyone!

Following up on our previous discussion, our team has conducted an evaluation regarding this issue. Specifically, we installed the three agents on different machine:

  • 2 agents on Ubuntu Linux endpoint: ID 001, ID 003

  • 1 agent on Windows endpoint: ID 002

We observed that alerts generated by the Windows agent aren’t reaching IRIS, even we already scaled down the “level” threshold to “0”.
But, the agent on Ubuntu Linux endpoints is successfully sending all the alerts to IRIS.

Agent ID 001

Agent ID 002

Agent ID 003

As for the Windows endpoint issue, our team is actively working on mitigating it, and we’ll make an announcement as soon as there’s an update about it.

Thank you!

Thank you for your continuous working to enhance T-Guard,

In the video below, I edited the ossec.conf file of the agent to monitor the desktop of my endpoint machine. I thought that my IRIS receives all alerts from Wazuh, but it seems that it gets only the alert of integrity change from my endpoint (Windows 11) desktop. Therefore, the issue of alerts was not solved.

Hi, Faris!

Thank you for providing feedback.

Our team has evaluated the issue.

To receive alerts from the agent deployed on Windows, you’ll need to add the windows-related rule group to the wazuh_manager.conf configuration file.

In example here are one event that belong in “windows, windows_security” rule group:

So, that rule group should be added to wazuh_manager.conf as follows:

By doing this, the event generated by the Windows agent will be sent to IRIS. Here are the result:

Feel free to customize the alert rule group you want to send to IRIS according to your specific needs. For a comprehensive reference on all available rule groups in Wazuh, you can visit the following link: Wazuh Rule Groups.

You can found the group name in each ruleset there.

Here’s an example of group name in a ruleset:

We hope this information helps you resolve the issue effectively.

Thank you!

Nice Work. It works flawlessly.

Thank you.