Search

6 min read

Discover #

The “Discover” module allows users to explore, search, and analyze the data collected by Argus agents and store.

1. Accessing Argus Discover

  • Open your web browser and navigate to the Argus web interface URL.
  • Log in with your credentials.
  • Click on the “Search” tab in the main navigation menu. Discover module will open

2. Basic Navigation

  • Search Bar: Located at the top of the Discover page, the search bar allows you to enter queries to filter your data.
  • Time Picker: Set the time range for your data exploration. You can choose predefined ranges or set a custom range.
  • Index Patterns: Select the index pattern you want to explore. This can be changed from the menu on the left side.

3. Running Searches

  • Enter search queries in the search bar to filter your data.
  • Use Lucene syntax or Kibana Query Language (KQL) for more advanced searches.
    • Example (Lucene): message: “error” AND host: “server1”
    • Example (KQL): message: “error” and host: “server1”

4. Viewing and Interpreting Results

  • The results are displayed in a table format below.
  • Each row represents a single log entry.
  • Click on a row to view detailed information about that entry.

Alerting in Argus Manager #

What is Alerting?

Alerting involves generating notifications based on specific security events or conditions detected by the Argus agents. These alerts can be configured to notify administrators via email, Slack, or other methods when certain conditions are met.

Where to Configure Alerts?

Alerts are configured within the Argus Manager, and the configurations are typically defined in the ossec.conf file. Additionally, the Argus Dashboard (web interface) can be used to manage alert rules and view alert history.

How to Configure Alerts?

1. Accessing the Configuration File:

  • Open the ossec.conf file located in the Argus Manager configuration directory, usually /var/ossec/etc/ossec.conf.

2. Defining Alert Rules:

  • Alert rules are defined within the <rules> section of the ossec.conf file.
  • Example of defining a rule:

<rules>

  <rule id=”100001″ level=”10″>

    <decoded_as>json</decoded_as>

    <field name=”action”>login_failed</field>

    <description>Failed login attempt</description>

  </rule>

</rules>

3. Configuring Alert Destinations:

  • Alerts can be sent to various destinations such as email, Slack, or a custom script.
  • Example of configuring email alerts:

<global>

  <email_notification>yes</email_notification>

  <smtp_server>smtp.example.com</smtp_server>

  <email_from>no-reply@example.com</email_from>

  <email_to>admin@example.com</email_to>

</global>

4. Testing Alert Configurations:

  • Use the Argus command-line interface or generate a test event to verify alert triggers and notifications.

5. Managing Alerts via Argus Dashboard:

  • Log in to the Argus Dashboard using your web browser.
  • Navigate to the “Rules” section to manage and view alert rules.
  • Navigate to the “Search–> Alerts” section to view and filter generated alerts.
  • You can create, modify, and delete rules using the dashboard’s intuitive interface.

6. Advanced Alert Customization:

  • Use the Argus API for more advanced alert configurations and integrations.
  • Example API call to list alert rules:

7. Using Alert Filters:

  • Filter alerts based on criteria such as time range, severity, and rule ID using the Argus Dashboard.
  • This helps in focusing on the most critical alerts and reducing noise.

8. Automated Response and Remediation:

  • Integrate Argus with external systems to automate responses to certain alerts.
  • For example, triggering a script to block an IP address upon detecting multiple failed login attempts.

User Manual for Alerting (Web Interface Only) #

This manual focuses on configuring and managing alerts using the Argus web interface.

What is Alerting in Argus?

Alerting in Argus allows you to be notified about significant security events. These alerts can be configured to notify administrators via various methods when specific conditions are met.

Where to Configure Alerts in the Argus Web Interface?

Alerts can be configured and managed through the Argus Dashboard, which is the web interface for Argus.

How to Configure Alerts in the Argus Web Interface?

1. Accessing the Argus Dashboard:

  • Open your web browser and navigate to the Argus Dashboard URL.
  • Log in using your Argus credentials.

2. Navigating to the Alerts Section:

  • Once logged in, navigate to the “Search” section in the left-hand menu. This section allows you to view and manage existing alerts.

3. Creating Alert Rules:

  • Navigate to the “Rules” section in the left-hand menu.
  • Click on “Add rule” to create a new alert rule.
  • Fill in the details for the new rule:
    • Name: Provide a name for the rule.
    • Description: Describe what the rule does.
    • Conditions: Set the conditions that will trigger the alert, such as event type, severity, or specific keywords.
    • Actions: Specify what action should be taken when the rule is triggered (e.g., send an email, send a Slack message).

4. Configuring Alert Destinations:

  • Navigate to the “Settings” section in the left-hand menu.
  • Click on “Alerting” to configure where alerts should be sent.
  • Set up the desired alerting methods:
    • Email: Configure SMTP settings and email recipients.
    • Slack: Set up Slack webhook URLs and channels.
    • Other: Configure other methods as needed (e.g., custom scripts or integrations).

5. Viewing and Filtering Alerts:

  • Navigate to the “Alerts” section in the left-hand menu.
  • Use the search and filter options to view alerts based on criteria such as time range, severity, and rule ID.
  • Click on an alert to view its details and understand why it was triggered.

6. Modifying or Deleting Alert Rules:

  • Navigate to the “Rules” section.
  • Find the rule you want to modify or delete.
  • Click on the rule to edit its details or use the delete option to remove it.

Alert Management Overview #

  1. Alerts in Argus:
    • Alerts are notifications generated by the Argus manager when specific events happen, based on rules that match events from the Argus agents and agentless devices.
    • Alerts are stored in two main files: alerts.log and alerts.json, located in the /var/ossec/logs/alerts/ directory.
  2. Alert Forwarding:
    • By default, Argus uses Filebeat to forward alerts to the Argus indexer, where the alerts can be stored and analyzed.
    • You can configure the Argus manager to forward alerts to other systems such as syslog servers, email systems, or databases for centralized monitoring, backup, and further analysis.
  3. Alert Threshold:
    • Alert threshold determines the minimum severity level required to trigger an alert. Alerts have severity levels from 1 (low) to 16 (high).
    • The alert threshold is defined in the Argus configuration file (/var/ossec/etc/ossec.conf) under the <alerts> tag.
    • Example configuration for log and email alerts:

<alerts>

  <log_alert_level>3</log_alert_level>

  <email_alert_level>12</email_alert_level>

</alerts>

  1. log_alert_level: Alerts with severity ≥ 3 are logged.
  2. email_alert_level: Alerts with severity ≥ 12 generate an email notification.
What are your Feelings

Leave a Reply

Your email address will not be published. Required fields are marked *