CR-2026-02-26: Wazuh SIEM Integration — Implementation

CLI Mastery: Wazuh Diagnostics

Full Diagnostic One-Liner

dsource d000 dev/observability && \
echo "=== CLUSTER ===" && netapi wazuh health | jq -r '.status' && \
echo "=== ARCHIVES ===" && netapi wazuh indices --raw 2>/dev/null | \
  jq -r '.[] | select(.index | contains("archives")) | "\(.index): \(.docs.count) docs"' && \
echo "=== PROCESSES ===" && ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- pgrep -a filebeat" 2>/dev/null | head -1 && \
echo "=== ARCHIVE LOG ===" && ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- wc -l /var/ossec/logs/archives/archives.log 2>/dev/null"

Process Check with awk

ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- ps aux" | \
  awk '/filebeat|logcollector|analysisd/ {printf "%-20s PID:%-6s CPU:%-5s MEM:%-5s\n", $11, $2, $3, $4}'

Filebeat Error Extraction

ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- cat /var/log/filebeat/filebeat* 2>/dev/null" | \
  grep -iE 'error|failed|refused|timeout' | tail -20 | \
  awk '{gsub(/T/, " "); print}' | cut -c1-120

ossec.conf Archives Settings

ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- cat /var/ossec/etc/ossec.conf" | \
  awk '/<global>/,/<\/global>/' | grep -E 'logall|jsonout|archives'

# Expected (for archives to work):
# <logall>yes</logall>
# <logall_json>yes</logall_json>

CLI Mastery: Syslog Configuration

pfSense Syslog

# Enable
netapi pfsense syslog enable --server 10.50.1.134 --categories filter,system

# Verify
netapi pfsense syslog show

IOS-XE Syslog (WLC, C9300)

netapi wlc config \
  "logging host 10.50.1.134" \
  "logging trap informational" \
  "logging source-interface Loopback0" \
  "logging origin-id hostname" \
  --save

ISE Syslog Target

netapi ise api-call ers POST '/config/externalSyslogTarget' --data '{
  "ExternalSyslogTarget": {
    "name": "Wazuh-SIEM",
    "description": "Wazuh SIEM syslog collector",
    "host": "10.50.1.134",
    "port": 514,
    "protocol": "UDP"
  }
}'

CLI Mastery: jq + awk Patterns

Pattern 1: API → jq → awk Table

<api_call> | jq -r '.items[] | "\(.field1)\t\(.field2)"' | \
  awk -F'\t' 'BEGIN {printf "%-20s %s\n", "COL1", "COL2"} {printf "%-20s %s\n", $1, $2}'

Pattern 2: awk Histogram

<data> | awk '{bar=""; for(i=0;i<$1/10;i++) bar=bar"█"; printf "%6d %s %s\n", $1, bar, $2}'

Pattern 3: xargs Chain (No Temp Vars)

<get_id> | jq -r '.id' | xargs -I{} <use_id_{}>

Pattern 4: Conditional jq Output

<command> | jq -r 'if .status == "success" then "✓ \(.message)" else "✗ \(.error)" end'