Local agents logs forwarder

Leo David

unread,

Oct 1, 2024, 1:44:04 PM10/1/24

to Wazuh | Mailing List

Hello everyone,

We have currently implemented a simple centos vm that will just collect and send traffic for 1514-1515/tcp and syslogs to the Wazuh manager that is running in a remote environment.

Basically it acts as a forwarder / shipper for all the onprem agents, so that there is no need to have lots of connections passing the firewall to deal with.

Also, for remote branches its easier to manage the setup, since the forwarder will open a single vpn tunnel to the Wazuh manager, so everything is done through "one wire".

In behind there is a Haproxy that is dealing the 1514-1515 traffic, whilst rRyslogd is doing the syslogs forwarding. Agents source ip addreses are kept intact. ( only syslogs will need a bit of decoding since the source ips are withing the message payload)

So far, the only downside we've met is that at the time of agent registration, the forwarder box ip address needs to be specified instead of the Wazuh manager ip address.

For other setups where there is no local Wazuh manager this may also be very handy and flexible.

My questions are:

Is there an official setup of this type of forwarder / shipper ? (as an example, Alienvault does provide a "sensor" for type of architectures. )

Did anyone configured something similar ?

Would there be any other downsides by using this setup ? The benefits I guess are obvious by different perspectives..

If everything would be good with this setup, we may go ahead and dockerise this for a quick deployment of the "wazuh-forwarder" ( even to include suricata with a port directly connected to a mirrored port of the location's main gateway )

Please let me know you thoughts.

Thank you,

Leo David

Sebastian Dario Bustos

unread,

Oct 2, 2024, 12:22:58 AM10/2/24

to Wazuh | Mailing List

Hi Leo,

The standard documentation covers the topic about agents without internet access on the following guide:

https://documentation.wazuh.com/current/cloud-service/your-environment/agents-without-internet.html

This is oriented to our Wazuh cloud service but depicts well the configuration that needs to be performed on your environment, then on your remote cluster environment you can just set a NLB (nginx for example) to receive the agents connections, here is the instructive for setting an nginx or HAproxy for the task:

https://documentation.wazuh.com/current/user-manual/manager/wazuh-server-cluster.html#load-balancers

About having to set the forwarder/nginx address/ip on your agents as the server's address, yes, this is the difference with a direct connection, though you can make use of an internal DNS to point the agents to a more descriptive hostname.

Hope this helps.
Regards.

Leo David

unread,

Oct 2, 2024, 1:45:19 AM10/2/24

to Sebastian Dario Bustos, Wazuh | Mailing List

Thank you Sebastian, this is exactly what I needed to confirm !

How about the agents syslogs forwarding ? Are there any official references regarding this?

Thank you,

Leo

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7b5bb711-3b2a-4f99-a8b1-d372c79b2d95n%40googlegroups.com.

Sebastian Dario Bustos

unread,

Oct 3, 2024, 3:54:14 AM10/3/24

to Wazuh | Mailing List

Hi Leo,

Yes, here is the documentation reference regarding syslog forwarding from an agent to a cloud instance, basically you need to set rsyslog to receive the logs, then the standard connectivity of the agent, picking up the logs from the file where rsyslog is storing the logs, will take care of transmitting the logs to the manager:

https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html

Hope this helps,

Regards.

Leo David

unread,

Oct 3, 2024, 6:24:50 AM10/3/24

to Sebastian Dario Bustos, Wazuh | Mailing List

Thank you so much Sebastian, really appreciate it !

Will give it a try of the configuration.

Any ideea if this setup will capture both BSD (RFC 3164) and IETF (RFC 5424) syslog formats ?

Thank you,

Leo

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9a617a35-8726-4f81-8744-d55e0532f0e5n%40googlegroups.com.

--

Best regards, Leo David

Sebastian Dario Bustos

unread,

Oct 8, 2024, 7:01:18 AM10/8/24

to Wazuh | Mailing List

Hi Leo,

In this guide rsyslog is being used, so, as long as it is a format compatible with rsyslog there shouldn't be a problem.

https://www.rsyslog.com/doc/whitepapers/syslog_parsing.html

Hope this helps.
Regards.

Leo David

unread,

Oct 14, 2024, 1:43:45 AM10/14/24

to Sebastian Dario Bustos, Wazuh | Mailing List

Hi Sebastian,

Thank you so much for the detailed information.

Have a great week !

Leo

You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/ECzWduOm3pk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/96bd09b0-d151-4d57-b22f-3da2ba749d86n%40googlegroups.com.

Reply all

Reply to author

Forward