I'm slowly turning to your channel instead of the official documentation.. Your videos are always on-point and with a perfect rhythm and pace for the topic at hand!
Can you please do Wazuh multi-site implementation that helps organizations unify their security monitoring capabilities across multiple geographically dispersed locations or sites with single dashboard?
This is not OpenSearch,. This is the predecessor Open Distro that is being retired. Wazuh doesn't yet support Opensearch since Kibana no longer exists and has been changed/ forked to opensearch-dashboard
Great video! Do you know if you can add these different labels to ingested AWS or GCP logs as well? So one logs coming from one AWS account could be labeled "AWS-A" and logs coming from another AWS account could be labeled "AWS-B"? Thanks!
great video, I recently installed the multi-server wazuh but since this video was released there have been some changes to the UI and some parameters don't apply anymore (I don't really have anywhere to paste what you did ). Any advice?
agree with jag831. your video is better than Wazuh documentation. However, im stuck somewhere and need help. How do i troubleshoot the "Wazuh API error: ERR_BAD_Request - Permission denied: Resource type: *.* " ? a full detail error: You have no permissions. Contact to an administrator: no permissions for [indices:data/read/search] and User [name=venus, backend_roles=[], requestedTenant=]: security_exception: [security_exception] Reason: no permissions for [indices:data/read/search] and User [name=venus, backend_roles=[], requestedTenant=]
hello, I try this setup on wazuh appliance v4.3.10 anf I recieve this message after login like group user: You have no permissions. Contact to an administrator: no permissions for [indices:data/read/search] and User [name=gc1, backend_roles=[], requestedTenant=null]: security_exception @Taylor, can you help me please, or do you have any idea where is problem? thnak you
@@erikkirschner8681 Thanks for answering... could you guide me a bit or give me more information? I'm new to Wazuh and I still can't find the solution to the problem within the documentation.
go into Opensearch security, select Internal users and edit the users you added using the above video. Each user needs two backend roles added one called "kibanauser" the other "readall" click save changes and you should be able to login with those users afterwards
Hi, thanks for the content. I followed your steps but i got this error: {You have no permissions. Contact to an administrator: no permissions for [indices:data/read/search] and User [name=user1, backend_roles=[], requestedTenant=null]: security_exception}. Can you please help to resolve this?
go into Opensearch security, select Internal users and edit the users you added using the above video. Each user needs two backend roles added one called "kibanauser" the other "readall" click save changes and you should be able to login with those users afterwards
Hi, thanks for the content! It's very usefull specially to MSP that are starting a SOC-SIEM service. I have a question about the way to labeling the syslog events as you did with the agents. There is any way to segregate syslog events from firewalls and switchs by Clients?
You could use a sequence of rules to separate firewall and switch events per client by using a field name of the agent label. Something like the below may work: firewall customer1 Customer1 Firewall Alert firewall customer2 Customer2 Firewall Alert switch customer1 Customer1 Switch Alert etc. Hope this helps and thanks for watching!
@@taylorwalton_socfortress can you make a video about this aproach? I dont get how the if_group would work with several devices sending syslog to the wazuh manager.
@@taylorwalton_socfortress thanks for your quick response.one further query if i use open distro can i use own certified and can i use all beats like filebeat,metricbeat etc. and can i use thehive,cortex,misp in open-distro as like elasticsearch thanks.
I'm slowly turning to your channel instead of the official documentation.. Your videos are always on-point and with a perfect rhythm and pace for the topic at hand!
Can you please do Wazuh multi-site implementation that helps organizations unify their security monitoring capabilities across multiple geographically dispersed locations or sites with single dashboard?
This is not OpenSearch,. This is the predecessor Open Distro that is being retired. Wazuh doesn't yet support Opensearch since Kibana no longer exists and has been changed/ forked to opensearch-dashboard
Correct, that was my mistake. Thank you for help clarifying :)
Thanks for best guide
Great video! Do you know if you can add these different labels to ingested AWS or GCP logs as well? So one logs coming from one AWS account could be labeled "AWS-A" and logs coming from another AWS account could be labeled "AWS-B"? Thanks!
It looks like the permissions from Opensearch cluster has changed. Can you help me figure out the corresponding cluster value for opensearch?
Hello Taylor, could you please redo this video on Wazuh 4.8. Thank You
great video, I recently installed the multi-server wazuh but since this video was released there have been some changes to the UI and some parameters don't apply anymore (I don't really have anywhere to paste what you did ). Any advice?
agree with jag831. your video is better than Wazuh documentation. However, im stuck somewhere and need help. How do i troubleshoot the "Wazuh API error: ERR_BAD_Request - Permission denied: Resource type: *.* " ?
a full detail error:
You have no permissions. Contact to an administrator:
no permissions for [indices:data/read/search] and User [name=venus, backend_roles=[], requestedTenant=]: security_exception: [security_exception] Reason: no permissions for [indices:data/read/search] and User [name=venus, backend_roles=[], requestedTenant=]
Will this setup same as multiple wazuh server connected to a single wazuh manager? As far as I understand, the two agents are server A and ServerB.
i followed exactly your video but getting errors.. you might work something else which is miss from video
Hey there, what were the errors you were facing? Are you still facing them?
hello, I try this setup on wazuh appliance v4.3.10 anf I recieve this message after login like group user:
You have no permissions. Contact to an administrator: no permissions for [indices:data/read/search] and User [name=gc1, backend_roles=[], requestedTenant=null]: security_exception
@Taylor, can you help me please, or do you have any idea where is problem?
thnak you
could you solve this error?
@@fernandolopez204 Yes, in documentation are some script and steps for this problem...
@@erikkirschner8681 Thanks for answering... could you guide me a bit or give me more information? I'm new to Wazuh and I still can't find the solution to the problem within the documentation.
I have the exact problem, I read the documentation, but couldn't find a solution. Can you help?
go into Opensearch security, select Internal users and edit the users you added using the above video. Each user needs two backend roles added one called "kibanauser" the other "readall" click save changes and you should be able to login with those users afterwards
Hi, thanks for the content.
I followed your steps but i got this error:
{You have no permissions. Contact to an administrator:
no permissions for [indices:data/read/search] and User [name=user1, backend_roles=[], requestedTenant=null]: security_exception}.
Can you please help to resolve this?
could you solve this error?
Hi Taylor, I'm using v4.6.0 and also got the same permission error after following your step by step twice! Please advise. Thanks!
go into Opensearch security, select Internal users and edit the users you added using the above video. Each user needs two backend roles added one called "kibanauser" the other "readall" click save changes and you should be able to login with those users afterwards
I am missing agent.labels in the events. How can I add it?
Hi, thanks for the content! It's very usefull specially to MSP that are starting a SOC-SIEM service.
I have a question about the way to labeling the syslog events as you did with the agents. There is any way to segregate syslog events from firewalls and switchs by Clients?
You could use a sequence of rules to separate firewall and switch events per client by using a field name of the agent label. Something like the below may work:
firewall
customer1
Customer1 Firewall Alert
firewall
customer2
Customer2 Firewall Alert
switch
customer1
Customer1 Switch Alert
etc. Hope this helps and thanks for watching!
@@taylorwalton_socfortress can you make a video about this aproach? I dont get how the if_group would work with several devices sending syslog to the wazuh manager.
That's an awesome tutorial video !!!!
its possible in do in elasticsearch? rather then Open Distro? thanks
Unfortunately no. You’d have to pay for an elasticsearch license
@@taylorwalton_socfortress thanks for your quick response.one further query if i use open distro can i use own certified and can i use all beats like filebeat,metricbeat etc. and can i use thehive,cortex,misp in open-distro as like elasticsearch thanks.
time 5.54 .where to get these IP's that you use
That is the public IP address of my Wazuh Manager. Thanks for watching :)
@@taylorwalton_socfortress i get it know .Thanks for response