Remote device syslog messages not getting to filebeat
167 views
Skip to first unread message
Paul Fu, Jr.
Sep 6, 2017, 1:56:48 PM9/6/17
to Wazuh mailing list
I've been able to get Wazuh working with agents, but having problem with network devices and looking for suggestions on where to look.
Wazuh 2.1 on Amazon Linux AMI release 2017.03, single server implementation
rsyslogd 5.8
The server does receive the messages - I can see them in the ossec/logs/archives/archives.log. It is not going to messages however.
I tried to set up an rsyslog.conf rule to dump to a file so that I can get filebeat to pick it up:
:fromhost-ip, isequal, "IP" /var/log/remote.log
#:hostname,isequal,"remote" /var/log/remote.log
& ~
But does not work. As you can see, I tried fromhost-ip and hostname.
remote.log gets created when I start rsyslogd but it's empty. There are no rsyslogd config errors in messages either.
tail -f /var/ossec/logs/archives/archives.log shows all the incoming remote syslog messages (on UDP 514)
tail -f /var/log/remote.log shows nothing.
Would appreciate any suggestions.
Paul
Miguelangel Freitas
Sep 7, 2017, 11:57:01 AM9/7/17
to Paul Fu, Jr., Wazuh mailing list
Hi Paul,
As I understand you want to store the incoming messages from your network devices into /var/log/remote.log
If that's the case, then you could disable the Wazuh syslog server and configure rsyslogd to receive all messages from your network devices, after that,
Regards.
As I understand you want to store the incoming messages from your network devices into /var/log/remote.log
using rsyslogd, but you already are receiving those messages via the Wazuh syslog server stored into /var/ossec/logs/archives/archives.log, that's right?
If that's the case, then you could disable the Wazuh syslog server and configure rsyslogd to receive all messages from your network devices, after that,
configure Wazuh to collect the incoming messages from the log file with: <localfile>
<log_format>syslog</log_format>
<location>/var/log/remote.log</location>
</localfile>
<log_format>syslog</log_format>
<location>/var/log/remote.log</location>
</localfile>
I hope it helps.
Regards.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1e9d5a30-df3a-41b7-b896-999e3daebbfa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages