Imperva WAF send logs to Wazuh

[KnaT]

Hi everyone,

I have a  Imperva WAF and I want to config to send syslog to Wazuh system.

I also config on WAF to send logs and config ossec.conf to receive the logs like below:

<ossec_config>
  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>10.10.6.99</allowed-ips>
  </remote>
</ossec_config>

But when I check archives.log, nothing from 10.10.6.99. I checked tcpdump to check if something was send from it, but I see nothing. I cannot find the way to config the Imperva WAF. 

Can anyone share the solutions?

Thanks a lot!

TA

[Gabriel Diaz Lopez de la Llave]

Hello TA,

From your message, I understand the problem you're having is the Imperva WAF does not send its logs to the Wazuh server.

I would double-check my Imperva WAF configuration following the Imperva documentation.

Also, I would check the Imperva community forums, there might be clues about what's wrong with your WAF configuration.

To diagnose if there is a communication problem between Imperva WAF and Wazuh syslog remote, I would

check first from the Wazuh side, as you did, if I can't see any packets coming from the WAF, the next logical step

is to try the same check from the Imperva side. If you can see Imperva sending syslog packets, and those seems correct, 

 then I would check the usual suspects and verify all firewalls and ACLs in the network path allow syslog communication

between the WAF and the Wazuh server.

Pay special attention to the IP address the WAF is using to send the logs, and ensure that IP is on the allowed-ips. It could be

the Imperva WAF is trying to send logs using a different interface of what's intended, or that there is NAT in the network path.

slds.

Gabriel

[KnaT]

Hi Gabriel,

I have created a connection from Imperva WAF to Wazuh with the console. And about the connection, my Imperva WAF and Wazuh manager are the same IP range (WAF:10.10.6.99 and Wazuh:10.10.6.175) so nothing block between them. And I have checked correclty IP to send and receive of these config files. 

I appreciate if you can give me a configuration guide step by step of Imperva WAF to send logs to Wazuh.

Waiting for your response soon.

Thanks a lot!

TA

[Gabriel Diaz Lopez de la Llave]

I don't have any knowledge of Imperva WAF. It is a commercial product I've never used. But 

people in our community have posted articles on how to integrate this product with Wazuh, please check this out:

https://www.infopercept.com/onboarding-imperva-waf-to-wazuh/

regards,

Gabriel

[KnaT]

Hi Gabriel,

Thanks for your help, I have check the blog, but I don't have any account to access to my.imperva.com

I understand that the guide above is using API connector

Is it necessary? How can I config correctly without that, maybe using rsyslog?

[Gabriel Diaz Lopez de la Llave]

Hello Knat, I don't have access to any Imperva product, so I can't test the integration.

You need to send the Imperva messages to Wazuh. This can be done using rsyslog, or configuring an agent to collect the Imperva logs from files. 

Once you've got the messages into Wazuh, you will need to create decoders and rules so Wazuh is able to understand those messages. In the default ruleset, there is a basic integration already.

I suggest you to talk to the Imperva admin or support, so they can help you configure your product to send messages to syslog or to a file.  Once you've got messages into Wazuh, we can help you finish the integration.

In the link I sent you, they used a script to download the log files from the Imperva service to a local file, and then configure the Wazuh agent to send those logs to the server to be analyzed.

Regards,

Gabriel

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/OB_edqwdmGQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4972e9d4-5435-45f5-b7d3-8e4d20f48a26n%40googlegroups.com.