Dual Remote logging

[Tim Bentley]

I am running Wazuh and the remote port 1514 is being used to handle 3 agents.

I would also like to consume the syslog from a Unifi switch directly into wazuh but the xml configuration does not seem to support both ports 1514 and 514 at the same time.

What options do I have?

Thanks

[Kevin Branch]

Tim,

You will want your Unifi switch to send standard syslog messages to your Wazuh manager on udp/514.  Port 1514 is solely for accepting authenticated/encrypted connections direct from Wazuh agents.

See:  https://documentation.wazuh.com/3.x/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog  

I have my Wazuh manager collecting Unifi AP logs via syslog just fine, though you will have to build your own custom Wazuh decoders and rules for them as there is no built-in knowledge of Unifi log messages in Wazuh at this time.  If you get your logs flowing and are interested, I'd be happy to share what I have worked out so far in the area of Unifi log decoding.  Maybe with your contributions added in we'll eventually have something good enough to contribute for inclusion in Wazuh for the benefit of the wider community.

Kevin Branch

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/93004642-76ed-4ab8-9a63-66c7f44505cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Lautaro Nahuel]

Kevin good morning.


Could you share the decoders and rules to match the events coming from UNIFI?

Thanks since now.

Greetings

[Sabbat X]

Hi ! Hope you're doing great :-)

Here's my issue :
I created a custom decoder and a custom rule to generate alerts when receiving UniFi logs. (I'm interrested in seeing yours @Kevin Branch)
When I use the wazuh-logtest binary to test these with a UniFi log, the custom rule is triggered and an alert is generated.
But in real, nothing happens...

Here are my decoder and rule :

<decoder name="unifi">

        <prematch type="pcre2">UAP-</prematch>

</decoder>

<rule id="100013" level="5"> <decoded\_as>unifi</decoded\_as>

        <description>UniFi wifi log</description>

</rule>

For now they are really simple, as I just want to trigger the rule and have an alert generated with any message received from the UniFi controller. I want to be sure that the log matches with my decoder. No need to extract any information for now.

FYI, here's what an UniFi log looks like (listened with a Syslog server) :

May 28 17:36:23 wap001 78455819c06e,UAP-AC-InWall-6.0.18+13660: logread[3288]: Logread connected to 192.168.1.49:514

As I said, it triggers the rule when I try it with /var/ossec/bin/wazuh-logtest, but not in real use.

I am using Wazuh v4.2.5 and UniFi controller v7.1.65

If anyone can help me with that I'd be really happy :-)
Thanks !

Asked first on Reddit : https://www.reddit.com/r/Wazuh/comments/uy3q3q/alert_triggered_with_wazuhlogtest_but_not_in_real/