CentSoc - Add Cybersecurity to Centreon via Wazuh

  • 29 June 2023
  • 5 replies
  • 303 views
vcoum
Rank
Userlevel 5
Badge +11
  • vcoum
  • Centreon Lord Commander
  • 92 replies

Hi everyone,

I wanted to present to you a Centreon module we developed to add a cybersecurity layer on Centreon, named CentSoc

CentSoc uses the Wazuh Manager API to display the scan results provided by the Wazuh Agents on the Centreon UI
You can use it if you have a Wazuh installed on your environment, and if you want to test it, you can just install the Wazuh Manager (Wazuh Dashboard and Indexer not mandatory)

You just have to link a Wazuh agent to a Centreon Host with a simple macro and CentSoc will display several informations, like vulnerabilities, conformity scans results and file integrity

This module will be open-source (we didn't post source yet) 

We will do a demo on LinkedIn the July 7 here (in french)

Don't hesitate to come take a look 😀

5 replies

Fabrix
Rank
Userlevel 5
Badge +11

Great news! I will highlight it in the next recap. After the webinar, feel free to post the replay here (if there is one), either by modifying the original post or in the comments. Cheeers,

Here to help you enjoy your experience on The Watch ¯\_ (ツ) _/¯
vcoum
Rank
Userlevel 5
Badge +11

Just an update, we published the sources on GitHub
https://github.com/YPSI-SAS/centsoc

 

Don’t hesitate to test it, my dm are opens if you have any questions 🙂

S
Badge

Hello Everyone and thank’s a lot Victor for your sources on GitHub !

Just a silly question, sorry about that, but I don’t understand how to install “WAZUHAGENTID” macro on each wazuh agent as you mention it in your readme ?

I have already tested Wazuh API with services from App-Wazuh-Manager-RestAPI-Custom and App-Wazuh-Agent-RestAPI-Custom and everything looks ok from Centreon…

 

 

vcoum
Rank
Userlevel 5
Badge +11

Hello Stephane,

The macro “WAZUHAGENTID” has to be added manually to your host(s) on Centreon level. It is only used by the CentSOC module, not by the Centreon plugins

This macro refer to the Wazuh AgentID installed on the server you monitor with Wazuh

When you install a Wazuh agent on a server, it will register on the Wazuh Manager, then the Wazuh Manager will attribute an ID to the agent.

This is the value you need to put in the macro WAZUHAGENTID value (like in the screenshot)

You can get the Wazuh Agent ID for your registered agent on the Wazuh dashboard, or with the Wazuh manager API with the /agents endpoint, or by executing this command on the Wazuh Manager Server

/var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-manager (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: HOST01, IP: any, Active
   ID: 002, Name: HOST02, IP: any, Active
   ID: 003, Name: HOST03, IP: any, Disconnected

Hope it helps you

 

S
Badge

Hi !

Well, it was a silly question indeed !

I got it of course, and it works fine once I declare for each host with wazuh agent the “WAZUHAGENTID” in the “macro” field

Thanks again for sharing your work !

Reply


Terms & ConditionsCookie settings