SIEM Project Lab Setup | Part 10 | Using Dashboard Query Language (DQL) to check Wazuh Logs

In this series, I have walked you through setting up your very own SIEM home lab in Oracle VirtualBox. The home lab consists of 2 Linux Virtual Machines (VMs), a pfSense firewall/router, and a Wazuh server. In this article we generate log activity in Wazuh through failed logins to endpoints. If you're interested in trying to set this lab up for yourself, you can check out Part 1 of my series to get started.

?

In this lab, we walk through a few simulations where we generate log activity so that we can look it up in Wazuh and analyze the logs to learn the ins and outs of log analysis. Lets do it!

?

Step 1: Open the Oracle VirtualBox Manager, power on all of the VMs

?

Step 2: Log in to the Wazuh console

?

To log into Wazuh, type in the default credentials shown on the console

?

Now we will generate invalid login logs on our Linux VMs.

?

Step 3: Punch in the wrong username/password for both Linux VMs a few times, maybe 2-3 times each.

?

?

Step 4: Once you conduct a few invalid logins, log in successfully to each Linux VM

?

Step 5: On one of your Linux VMs, open a web browser and login to the Wazuh Web GUI using the admin credentials (username "admin," password "admin")

?

Step 6: Click on the Menu button in the upper left corner, then click Explore, Discover

?

Step 7: At the top of the Discover page type in "rule.groups: authentication_failed" and press "Enter" this is a search query using the Dashboard Query Language (DQL).? It is a language designed to search for data in OpenSearch Dashboards

For more info on DQL, check out this resource.

?

?

Step 8: Scroll through the search results and you'll notice that Wazuh highlights the records that show failed authentications.

?

Notice in the following two images I did a quick terminal command in each Linux VM. I conducted an "ip a" command to double check the IP address of Linux Mint and Ubuntu VMs.

?

?

Notice in Wazuh that the records confirm the IP address, agent name, and the result of our login attempts: both Linux Mint and Ubuntu VMs show failed logins. This shows how powerful a well configured SIEM tool like Wazuh can be because it tracks so many small data points that analysts can use to pinpoint many different events on a system.

I hope you got value out of this walkthrough. If you did get value please consider giving this article a like and share it with someone else who may also get value from it. I hope you have a wonderful day.