Wazuh Syslog
KevinK Leung
Dear Team,
I have a syslog device sending it’s own log to Wazuh syslog server. I have configured it and allowed with the firewall and I have got a successful log sent signal from the device. But I cannot see the logs in the Wazuh dashboard. Even though with all possible log files in the Wazuh server.
My configuration:
<remote>
<connection>syslog</connection
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>MY_IP_RANGE</allowed-ips>
</remote>
Kevin Leung
IT Security Specialist
Easy Great Technology Limited
Srijan Nandi
First of all see if you are receiving packet of tcp port 514. To check this, run tcpdump on interface with port 514.
Also run a ss -natup | grep 514 to see if the port is open and listening.
Then, you need to add '<logall>yes</logall>' or '<logall_json>yes</logall_json>' in your '/var/ossec/etc/ossec.conf' file on the Wazuh server, and restart it. You will be able to see Syslog events in '/var/ossec/logs/archives/archives.log' or in ''/var/ossec/logs/archives/archives.json', depending on the option you configure in '/var/ossec/etc/ossec.conf'.
You can also view alerts on /var/ossec/logs/archives/alerts.log' or '/var/ossec/logs/alerts/alerts.json'.
Thanks and Regards,
-=Srijan Nand
KevinK Leung
Dear Team.
Thanks for your advice.
I have run a tcpdump on the Wazuh manager side, it does successfully sent to the machine. However it looks like Wazuh is unable to accept it on application level.
My configuration:
<ossec_config>
<global>
…..
<logall>yes</logall>
<logall_json>yes</logall_json>
…
….
</global>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp, udp</protocol>
<allowed-ips>Allow_IP</allowed-ips>
<local_ip>WAZUH_IP</local_ip>
</remote>
0000 00 50 56 bd ed 74 b4 96 91 94 fa 58 08 00 45 00 .PV..t.....X..E.
0010 02 ca ce 1c 40 00 40 06 c8 d9 c0 a8 0f f9 c0 a8 ....@.@.........
0020 0f ee 86 6a 02 02 f0 fd ea 9b 6e 94 6d ee 80 18 ...j......n.m...
0030 01 00 27 0c 00 00 01 01 08 0a 19 2e 99 82 03 b5 ..'.............
0090 22 54 65 73 74 20 6d 6f 64 65 6c 20 75 73 65 64 "Test model used
00a0 20 66 6f 72 20 74 65 73 74 69 6e 67 20 61 6c 65 for testing ale
00b0 72 74 69 6e 67 20 63 6f 6e 66 69 67 75 72 61 74 rting configurat
00c0 69 6f 6e 2e 22 2c 22 63 72 65 61 74 65 64 22 3a ion.","created":
00d0 7b 22 62 79 22 3a 22 53 79 73 74 65 6d 22 7d 2c {"by":"System"},
00e0 22 65 64 69 74 65 64 22 3a 7b 22 62 79 22 3a 22 "edited":{"by":"
00f0 4e 6f 62 6f 64 79 22 7d 2c 22 6e 61 6d 65 22 3a Nobody"},"name":
0100 22 55 6e 72 65 73 74 72 69 63 74 65 64 20 54 65 "Unrestricted Te
0110 73 74 20 4d 6f 64 65 6c 22 2c 22 70 72 69 6f 72 st Model","prior
0120 69 74 79 22 3a 35 7d 2c 22 64 65 76 69 63 65 22 ity":5},"device"
0130 3a 7b 22 69 70 22 3a 22 30 2e 31 2e 32 2e 33 22 :{"ip":"0.1.2.3"
0140 2c 22 68 6f 73 74 6e 61 6d 65 22 3a 22 74 65 73 ,"hostname":"tes
0150 74 2d 64 65 76 69 63 65 2e 65 78 61 6d 70 6c 65 t-device.example
0160 2e 63 6f 6d 22 2c 22 6d 61 63 61 64 64 72 65 73 .com","macaddres
0170 73 22 3a 22 30 30 3a 31 31 3a 32 32 3a 33 33 3a s":"00:11:22:33:
0180 34 34 3a 35 35 22 2c 22 76 65 6e 64 6f 72 22 3a 44:55","vendor":
0190 22 54 65 73 74 20 56 65 6e 64 6f 72 22 2c 22 6c "Test Vendor","l
01a0 61 62 65 6c 22 3a 22 54 65 73 74 20 44 65 76 69 abel":"Test Devi
01b0 63 65 22 7d 2c 22 74 72 69 67 67 65 72 65 64 43 ce"},"triggeredC
01c0 6f 6d 70 6f 6e 65 6e 74 73 22 3a 5b 7b 22 6d 65 omponents":[{"me
01d0 74 72 69 63 22 3a 7b 22 6c 61 62 65 6c 22 3a 22 tric":{"label":"
01e0 54 65 73 74 20 4d 65 74 72 69 63 22 7d 2c 22 74 Test Metric"},"t
01f0 72 69 67 67 65 72 65 64 46 69 6c 74 65 72 73 22 riggeredFilters"
0200 3a 5b 7b 22 63 6f 6d 70 61 72 61 74 6f 72 54 79 :[{"comparatorTy
0210 70 65 22 3a 22 64 69 73 70 6c 61 79 22 2c 22 66 pe":"display","f
0220 69 6c 74 65 72 54 79 70 65 22 3a 22 54 65 73 74 ilterType":"Test
0230 20 4d 65 74 72 69 63 20 46 69 6c 74 65 72 22 2c Metric Filter",
0240 22 74 72 69 67 67 65 72 22 3a 7b 22 76 61 6c 75 "trigger":{"valu
0250 65 22 3a 22 54 65 73 74 20 66 69 6c 74 65 72 20 e":"Test filter
0260 76 61 6c 75 65 22 7d 7d 5d 7d 5d 2c 22 62 72 65 value"}}]}],"bre
0270 61 63 68 55 72 6c 22 3a 22 22 2c 22 70 62 69 64 achUrl":"","pbid
0280 22 3a 31 32 33 2c 22 73 63 6f 72 65 22 3a 31 2c ":123,"score":1,
0290 22 63 72 65 61 74 69 6f 6e 54 69 6d 65 22 3a 31 "creationTime":1
02a0 36 35 38 32 38 32 30 37 39 37 36 35 2c 22 74 69 658282079765,"ti
02b0 6d 65 22 3a 31 36 35 38 32 38 32 30 37 39 37 36 me":165828207976
02c0 35 2c 22 6d 69 74 72 65 54 65 63 68 6e 69 71 75 5,"mitreTechniqu
02d0 65 73 22 3a 5b 5d 7d 0a es":[]}.
KevinK Leung
Hello Team
In addition, I have used another clean linux box to send syslog to this Wazuh IP with UDP 514, the Wazuh dashboard has successfully load the syslog client information into “MANAGER.NAME” is my Wazuh hostname and “PREDECODER.HOSTNAME” is my syslog client’s hostname.
I guess under this situation, can I guess the setup of the syslog server is success?
I want to know where I can verify the log where it does not have any decoder features in that?
In addition, I have understand the pattern of the log that specific device send to WAZUH. How I can start it with the decoders?
CEF:0|”Special code”|”Client”|<software_version>|<model_id>|<model_name>|<breach_severity>|<extra_metadata>.
Kevin Leung
IT Security Specialist
Easy Great Technology Limited
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/vmqB-sZV8zA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8f534043-3544-45f0-9106-9f1873eca415n%40googlegroups.com.
Srijan Nandi
First of all when you are using syslog for remote connection, the protocol option can have one value. Therefore, your remote configuration should look like this:
<remote>
<connection>syslog</connection>
<port>514</port>
<allowed-ips>Allow_IP</allowed-ips>
<local_ip>WAZUH_IP</local_ip>
</remote>
For making custom rules and decoders, please refer to the Wazuh Documentation given below:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
KevinK Leung
Hello Srijan,
I can’t map a service with 2 protocol? (both tcp and udp)
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html
Kevin Leung
IT Security Specialist
Easy Great Technology Limited
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3392dd29-4556-46da-a072-a8cf47f31788n%40googlegroups.com.
Srijan Nandi
You can use both UDP and TCP protocols but only in secure connections. For syslog, if you need multiple protocols, if should be in a different <remote>....</remote> block.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html?highlight=remote#connection
But, my question is why do you require multiple protocols for syslog. Just use UDP and it will suffice your requirement.
Regards,
-=Srijan Nandi
KevinK Leung
Dear Srijan,
I have tried to use in a different <remote> ..</remote> block, but the wazuh manager prompt me syntax error, so that I kept only 1 <remote></remote> block for syslog 514.
I am now make the system using TCP to send syslog and it works now.
My reason for using multiple protocol for syslog is to compatible with some old device which may not support further enhance of syslog port customization that only support for udp 514. However, the existing device seems only support TCP514 for syslog.
Thanks.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5eb8d6e7-aae6-4e51-9d0f-6111cb3fe911n%40googlegroups.com.
Srijan Nandi
<connection>syslog</connection>
<port>15514</port>
<protocol>udp</protocol>
<local_ip>X.X.X.X</local_ip>
<allowed-ips>Y.Y.Y.Y/24</allowed-ips>
</remote>
<remote>
<connection>syslog</connection>
<port>15514</port>
<protocol>tcp</protocol>
<local_ip>X.X.X.X</local_ip>
<allowed-ips>Y.Y.Y.Y/24</allowed-ips>
</remote>