Generating Wazuh Reports
In this post, I will go over how to generate reports using the Wazuh web dashboard. This is something that I started to do over the past month to help filter my view on information from the alerts and the vulnerability scans. One of the interesting things this allows you to see is what type of alerts are reported and specific information about the reports that are relevant to you. For myself, what I am interested in is the alert description and the source IP that triggered the alert. I use this information in the reports I download, in conjunction with a Python script I wrote, to see what countries they are from and how many are coming from each country. I will link it at the end of my post about the Python script once I have it up.
The first step after you log into the Wazuh dashboard is to click on the hamburger button on the left. This will open up the menu. Under Explore, you want to click on Discover.
Once the page has loaded, in the top left, you will see a drop-down box with "wazuh-statistics-*" in it. Please note that from time to time, it will have one of the other options selected in it when the page loads.
I suggest working on filters before using the option on the left to add specific columns to the report. I like to do this when going through, because I can see the complete information for each item. That helps me to decide on what I want to filter out. The first filter I typically apply when doing the report on Alerts is the agent name. My web server is called Rohan. You can include or exclude any agent via their name or number ID using this filter. This can significantly help filter out noise in the report.
The next filter I like to apply, is one that makes sure that each alert has a source IP address. This will remove alerts that are created from local things that happen on the server. I pull those items together in a separate report.
Now that we have filtered the report, I want to add the columns that interest me. Back on the left side of the dashboard, you will see a list of filed names. There are many options to pick from when working on an alerts report. The nice thing is that once you select a field, it will move it to the Popular fields section. You can, of course, remove any item in this part of the list when you want to.
The fields that I like to add are data.timestamp, data.src_ip, and rule.description. The first column that you see to the left, labeled "Time", will not show up when you download the report. It is just for the dashboard. Here is an image of what the graph and top part of the report look like for me. Yes, that does say 3,762 hits for a 24-hour period.
Now that all of that is done, it is time to save the report. At the top right of the dashboard, you will see several options. The one we want is Save. If this is your first time saving the report, you will see a dialog box like below open up. Type a name for the report and click on save. If you are saving changes to a report that you already saved, you will have an option to save as a new report. This is great if you want to have a main report and then do sub-reports for certain things. You can always load a previous report save by clicking on open in the top right and selecting the report you want to return to.
If you want to save a copy of the report locally, click on Reporting in the top right and click on Generate CSV or Generate XLSX. I usually select CSV because I find it a little bit easier to work with them in Python. You can also click View reports to go to the Reports dashboard and see all the reports you have saved.
I have included an image below to show how I like to set up a report for vulnerabilities. This particular report is for critical on all agents. I have the report showing the agent name, the vulnerability ID if it has one, what package is causing the alert, and the description. I will typically break it down to each individual agent once I have downloaded the report.
