Community discussions

MikroTik App
 
User avatar
drcyberg
just joined
Topic Author
Posts: 4
Joined: Tue Feb 13, 2024 2:37 pm
Location: Hungary
Contact:

WAZUH agentless monitoring problem

Tue Feb 13, 2024 3:08 pm

Hi Masters!

I have successfully installed the Wazuh https://wazuh.com/install/ XDR and SIEM protection program on my VPS.
My goal would be to use wazuh Agentless https://documentation.wazuh.com/current ... index.html to report the status of my router (hAP ac²) via SSH.
It is theoretically possible, but unfortunately the method is not compatible with mikrotik or I just don't notice something. :(
I use this agentless config in /var/ossec/etc/ossec.conf with Endpoints with password authentication:
<agentless>
  <type>ssh_generic_diff</type>
  <frequency>60</frequency>
  <host>admin@mydomain.com</host>
  <state>periodic_diff</state>
  <arguments>/log print</arguments>
</agentless>
Unfortunately the process gets stuck, of course it doesn't display an error /var/ossec/logs/ossec.log:
...
2024/02/13 08:23:21 wazuh-agentlessd: INFO: Test passed for 'ssh_generic_diff'.
2024/02/13 08:23:22 wazuh-agentlessd: INFO: ssh_generic_diff: admin@mydomain.com: Started.
2024/02/13 08:23:22 wazuh-agentlessd: INFO: ssh_generic_diff: admin@mydomain.com: Starting.
2024/02/13 08:34:34 wazuh-agentlessd: INFO: ssh_generic_diff: admin@mydomain.com: Started.
2024/02/13 08:34:34 wazuh-agentlessd: INFO: ssh_generic_diff: admin@mydomain.com: Starting.
...
I tried all the existing variations that were listed as configurations, but none of them succeeded. :?
Of course I can log in manually via ssh console.
My question is, has anyone managed to put this together like this?
I think the problem is with the ssh_generic_diff script.

Thank you!

Regards: DrCyberg
 
User avatar
patrikg
Member
Member
Posts: 362
Joined: Thu Feb 07, 2013 6:38 pm
Location: Stockholm, Sweden

Re: WAZUH agentless monitoring problem

Fri Feb 16, 2024 2:40 pm

Have you tried turning off password login and running the slightly more secure login model via pki, check this link on how to import your public key.

https://help.mikrotik.com/docs/display/ ... entication

You should try not to use passwords, and apply a more secure login.
And create a new user on the device that not are using admin as login.
 
User avatar
drcyberg
just joined
Topic Author
Posts: 4
Joined: Tue Feb 13, 2024 2:37 pm
Location: Hungary
Contact:

Re: WAZUH agentless monitoring problem

Sun Feb 18, 2024 9:10 am

Have you tried turning off password login and running the slightly more secure login model via pki, check this link on how to import your public key.

https://help.mikrotik.com/docs/display/ ... entication

You should try not to use passwords, and apply a more secure login.
And create a new user on the device that not are using admin as login.
I thought I'd try a simple solution to see if it works (Password).
I will try the method you suggested, as you say.
Although I have since solved it with a different method (VPN + Route).

Thank you!

Regards: DrCyberg
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1042
Joined: Sun Jun 28, 2015 7:36 pm

Re: WAZUH agentless monitoring problem

Mon Feb 19, 2024 3:02 pm

[Off topic]

When I tried Wazuh (and OSSEC), I always believed that it was with agent only. I liked but I saw that the agent on Windows is super easy to vulnerate. Simply uninstalling or turning off the service is enough and no have any protection. I not know if I did something wrong, but anyway until Cortex XDR of PaloAlto was easy to turn off without uninstall (at least this last has a anti-tamper protection and you can't uninstall without a master password that is configured on server side).

Any free recommendation is grateful.

[On topic]

Always you need use certificates and never password for automated processes that needs SSH logins. Otherwise, SSH would be anything, less secure.

Regards.

Who is online

Users browsing this forum: sindy, tornadoro and 31 guests