WRKLOG-2026-02-25

Summary

Tuesday. Heavy SIEM work - created comprehensive Wazuh log analysis scripts. Enhanced netapi CLI. Created file hunting documentation. Prepared for Arch system upgrade.

Completed Today

Wazuh Credential Rotation

Rotated WAZUH_INDEXER_PASSWORD after security cleanup.

dsec edit d000 dev/observability
dsource d000 dev/observability
netapi wazuh health  # Verify connectivity

Wazuh API Montage Scripts (8 Files)

Created comprehensive log analysis scripts in domus-infra-ops/examples/wazuh/:

Script Purpose

Script	Purpose
`wazuh-api-montage.sh`	Full system analysis (176 lines) - alerts, agents, syschecks
`wazuh-pfsense-montage.sh`	Firewall blocks, DHCP, VPN, gateway events
`wazuh-ise-montage.sh`	802.1X, RADIUS, TEAP, MAB, CoA, profiler events
`wazuh-switch-montage.sh`	DOT1X, interface up/down, spanning tree, config changes
`wazuh-wlc-montage.sh`	Wireless clients, roaming, AP events, rogue detection
`wazuh-dns-montage.sh`	DNS queries, NXDOMAIN, zone transfers, AXFR
`wazuh-vault-montage.sh`	PKI issuance, SSH CA signing, secrets audit, policy changes
`wazuh-nas-montage.sh`	SMB/NFS access, volume events, RAID status, backups

wazuh-api-montage.sh

Full system analysis (176 lines) - alerts, agents, syschecks

wazuh-pfsense-montage.sh

Firewall blocks, DHCP, VPN, gateway events

wazuh-ise-montage.sh

802.1X, RADIUS, TEAP, MAB, CoA, profiler events

wazuh-switch-montage.sh

DOT1X, interface up/down, spanning tree, config changes

wazuh-wlc-montage.sh

Wireless clients, roaming, AP events, rogue detection

wazuh-dns-montage.sh

DNS queries, NXDOMAIN, zone transfers, AXFR

wazuh-vault-montage.sh

PKI issuance, SSH CA signing, secrets audit, policy changes

wazuh-nas-montage.sh

SMB/NFS access, volume events, RAID status, backups

Usage:

dsource d000 dev/observability
bash examples/wazuh/wazuh-ise-montage.sh 2>&1 | tee /tmp/ise-analysis.log

netapi wazuh CLI Enhancements

Added new commands to netapi wazuh:

Command Purpose

Command	Purpose
`netapi wazuh health`	OpenSearch cluster health status
`netapi wazuh cluster`	Wazuh manager cluster status
`netapi wazuh query "index" -q "term"`	Custom OpenSearch queries with index pattern
`netapi wazuh list-rules --level 12`	Browse detection rules with level/group filters

netapi wazuh health

OpenSearch cluster health status

netapi wazuh cluster

Wazuh manager cluster status

netapi wazuh query "index" -q "term"

Custom OpenSearch queries with index pattern

netapi wazuh list-rules --level 12

Browse detection rules with level/group filters

Also fixed count to accept positional argument (no --query flag needed).

HTTP 500 Fix (OpenSearch OR Patterns)

Problem: Complex Lucene OR patterns like "term1 OR term2" caused HTTP 500 errors.

Solution: Split all OR patterns into separate single-term queries across all 8 montage scripts.

Key Learning: OpenSearch rejects complex OR queries. Use separate netapi wazuh query calls instead.

File Hunting Runbook

Created domus-linux-ops/pages/commands/files/file-hunting.adoc (378 lines):

Trifecta Pattern: grep -rn, find+grep, find+grep+awk
Find and Open: nvim integration with find
Shell Functions: fe (find+edit), fec (content+edit), fef (fzf)
fzf Integration: Fuzzy finding with preview

Example patterns documented:

# Quick content search
grep -rn "borg_backups" ~/atelier/_bibliotheca/domus-* --include="*.adoc"

# Formatted output with awk
find ~/atelier/_bibliotheca -name "*.adoc" -exec grep -Hn "borg_backups" {} \; | \
  awk -F: '{printf "%-60s L%-4s %s\n", $1, $2, $3}'

# Find and open in nvim
nvim $(find ~/atelier/_bibliotheca -name "backup-strategy*" -print -quit)

Shell function for daily use:

fe() {
  local file
  file=$(find ~/atelier/_bibliotheca -name "$1" -print -quit)
  [[ -n "$file" ]] && nvim "$file" || echo "Not found: $1"
}

System Upgrade Preparation

Updated CLAUDE.md with session state snapshot
Tested NFS backup mount: sudo mount -t nfs nas-01.inside.domusdigitalis.dev:/volume1/borg_backups /mnt/synology
Ready for sudo pacman -Syu

Key Learnings

Topic Lesson

Topic	Lesson
OpenSearch queries	OR patterns cause HTTP 500 - use separate queries
dsec for Wazuh	`dsource d000 dev/observability` loads WAZUH_* env vars
find + nvim	`-print -quit` stops after first match (faster)
awk field splitting	grep output is `file:line:content` - `-F:` splits on colon
Archives fallback	Direct kubectl exec grep always works when OpenSearch fails

OpenSearch queries

OR patterns cause HTTP 500 - use separate queries

dsec for Wazuh

dsource d000 dev/observability loads WAZUH_* env vars

find + nvim

-print -quit stops after first match (faster)

awk field splitting

grep output is file:line:content - -F: splits on colon

Archives fallback

Direct kubectl exec grep always works when OpenSearch fails

Files Modified/Created

domus-infra-ops

examples/wazuh/wazuh-api-montage.sh      (new)
examples/wazuh/wazuh-pfsense-montage.sh  (new)
examples/wazuh/wazuh-ise-montage.sh      (new)
examples/wazuh/wazuh-switch-montage.sh   (new)
examples/wazuh/wazuh-wlc-montage.sh      (new)
examples/wazuh/wazuh-dns-montage.sh      (new)
examples/wazuh/wazuh-vault-montage.sh    (new)
examples/wazuh/wazuh-nas-montage.sh      (new)
.claude/CLAUDE.md                        (updated - session notes)

domus-linux-ops

pages/commands/files/file-hunting.adoc   (new - 378 lines)
nav.adoc                                 (updated - added File Hunting)

netapi

netapi/cli/wazuh.py                      (updated - new commands)
netapi/vendors/wazuh/client.py           (updated - get_cluster_health)

Tomorrow’s Priorities

Complete system upgrade (pacman -Syu)
Run Borg backup after upgrade
Test Wazuh montages on live data
Add fe, fec, fef functions to .zshrc