wazuh-splunk
wazuh-splunk copied to clipboard
wazuh
Agents by node summary
Currently, there is a visualization for showing the alerts by node. I would like to see the same visualization but showing the agent by node.
This is a real example:
My master node failed, so all my agents were moved to the worker node. So, the alerts increased in this one. I would like to see the number of agents since it is a good way to check if all the agents were moved to another node.
Update
After some research to create this visualization I just found out that wazuh-monitoring-3x indices in Splunk don't have enough information about the agents unlike Elasticsearch wazuh-monitoring-3x indices- The information stored in this index should be updated.
Here is an example of the differences between Elasticsearch and Splunk wazuh-monitoring-3x indices:
- Elasticsearch:
"os" : {
"build" : "18362",
"major" : "10",
"minor" : "0",
"name" : "Microsoft Windows 10 Pro",
"platform" : "windows",
"uname" : "Microsoft Windows 10 Pro",
"version" : "10.0.18362"
},
"ip" : "192.168.0.97",
"configSum" : "1df5ba232cf40bf26387578c49596d06",
"node_name" : "node01",
"status" : "Active",
"dateAdd" : "1970-01-01 00:00:00",
"group" : [
"default"
],
"version" : "Wazuh v3.9.5",
"registerIP" : "any",
"manager" : "master",
"lastKeepAlive" : "2019-10-01 13:29:56",
"mergedSum" : "06eb7f7399e470b66643cd4f6ab2e69f",
"id" : "003",
"name" : "windows",
"timestamp" : "2019-10-01T13:30:02.014Z",
"host" : "master",
"cluster" : {
"name" : "wazuh"
}
- Splunk
{
"timestamp": "2019-09-30 23:00:00",
"id": "004",
"manager": {
"name": "master"
},
"status": "Disconnected",
"ip": "10.0.2.15"
}
