Wazuh don't get rsyslog log

[MrBAD0094]

Hi,

My question is: which component in Wazuh is responible to recive log from syslog?

Elastic or OSSIM?

I try configure this for 3 days ...

First I try configure

/var/ossec/etc/ossec.conf

  <remote>
    <connection>syslog</connection>
      <allowed-ips>syslog ip</allowed-ips>
  </remote>

 

Next I try configure Elastic from this tutorial:

https://www.elastic.co/blog/how-to-centralize-logs-with-rsyslog-logstash-and-elasticsearch-on-ubuntu-14-04

 

Suricata is successful send log to syslog, but i don't know how get this log to Wazuha.

Any newbie tutorial?

[Javier Castro]

Hi,

the Wazuh manager receives logs from syslog.

You will probably need to specify the port where you expect the logs frow as well as the protocol (udp, tcp).

This is our documentation for the remote tag: https://documentation.wazuh.com/3.x/user-manual/reference/ossec-conf/remote.html

Best regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/639c6c69-1693-48d7-acbe-cab11cd2165f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[MrBAD0094]

First - thanks for intresting my topic.

So, I reconfigured my /var/ossec/etc/ossec.conf like in documentation, but still does't work.

You know how to be sure, that the log from syslog are send? Maybe this is problem?

W dniu czwartek, 23 sierpnia 2018 11:51:14 UTC+2 użytkownik Javier Castro napisał:

Hi,

the Wazuh manager receives logs from syslog.

You will probably need to specify the port where you expect the logs frow as well as the protocol (udp, tcp).

This is our documentation for the remote tag: https://documentation.wazuh.com/3.x/user-manual/reference/ossec-conf/remote.html

Best regards.

[Javier Castro]

You can try to use tcpdump in the manager instance searching over the port you are sending data.

If you don't see anything, that means either there's some network issue (firewall, for example) or that the source is not properly sending data.

Regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/60741909-5ff3-4ee8-8551-b960e2ccd18d%40googlegroups.com.

[MrBAD0094]

I install tcpdump and run

tcpdump -vv -x -X -s 1500 -i enp0s3 'port 514'

and I can see all packet from suricata server and packet from syslog server, it's working very nice. So it't good.

Any else idea where i can make mistake? Or what else should be configured to recived log?

[Javier Castro]

Let's check your archives.log.

Maybe you don't have rules and decoders that properly parse those events.

Search in /var/ossec/logs/archives/archives.log file for those suricata logs.

Regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a5ae3f3c-387e-4983-a510-24ee683dcbb8%40googlegroups.com.

[MrBAD0094]

Unfortunately, the archive is empty, too.

My Wazuh server is the newest, and I did not modify anything else. Do you have any new suggestion or reinstall it?

Or if you know where i can find some good tutorial? Because i don't know that i modify everything I had to do.

Regards

[Javier Castro]

My bad.

You have to enable the logall_json option in the manager so that file gets populated.

Edit the file /var/ossec/etc/ossec.conf.

You will find one block like this at the beginning:

  <global>

    <jsonout_output>yes</jsonout_output>

    <alerts_log>yes</alerts_log>

    <logall>no</logall>

    <logall_json>no</logall_json>

    <email_notification>no</email_notification>

    <smtp_server>smtp.example.wazuh.com</smtp_server>

    <email_from>oss...@example.wazuh.com</email_from>

    <email_to>reci...@example.wazuh.com</email_to>

    <email_maxperhour>12</email_maxperhour>

    <queue_size>131072</queue_size>

  </global>

Change the setting logall_json from 'no' to 'yes' and restart the Wazuh manager.

This will populate the archives.json file and then you can search in there looking for your syslog logs.

If you can't find them after doing that, then it means the Wazuh manager is not reading those logs and the problem must be in another place.

Best regards.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/745343d5-e7d3-4e64-9d01-8d60db2109a1%40googlegroups.com.

[Alain Kabwe]

Hi all,

I'm facing the same issue, i did all your recomandation but when I filter packets receive in the wazuh manager from the network device with tcpdump i get this,

09:59:20.45867 IP x.x.x.x.56846 > x.x.x.x.514: SYSLOG local7.error, length: 103

09:59:20.45895 IP x.x.x.x.56846 > x.x.x.x.514: SYSLOG local7.notice, length: 125

Can someone help me? Please

Le vendredi 24 août 2018 13:04:26 UTC+2, Javier Castro a écrit :

My bad.

You have to enable the logall_json option in the manager so that file gets populated.

Edit the file /var/ossec/etc/ossec.conf.

You will find one block like this at the beginning:

  <global>

    <jsonout_output>yes</jsonout_output>

    <alerts_log>yes</alerts_log>

    <logall>no</logall>

    <logall_json>no</logall_json>

    <email_notification>no</email_notification>

    <smtp_server>smtp.example.wazuh.com</smtp_server>

    <email_from>ossecm@example.wazuh.com</email_from>

    <email_to>recipient@example.wazuh.com</email_to>

    <email_maxperhour>12</email_maxperhour>

    <queue_size>131072</queue_size>

  </global>

Change the setting logall_json from 'no' to 'yes' and restart the Wazuh manager.

This will populate the archives.json file and then you can search in there looking for your syslog logs.

If you can't find them after doing that, then it means the Wazuh manager is not reading those logs and the problem must be in another place.

Best regards.

[Juan Carlos]

Hello Alain,

You can verify if the Wazuh manager is listening on port 514 with:

netstat -tunap | grep :514

If you do see it there then it could be that the message being transmitted isn't triggering any alert.

You may see the message with

tcpdump -i any port 514 -AA

The output of this will contain trailing characters, mostly dots. For example:

........'_v.....E..F..@.@.#...G...G..@...2..<187>Feb 14 08:31:23 agent programname: test................

You may take the message after syslog priority (<187>) and paste it into the ossec-logtest utility on the manager:

echo "Feb 14 08:31:23 agent programname: test" | /var/ossec/bin/ossec-logtest

And this will explain the behavior the manager will take with such a message.

Best Regards,

Juan Carlos Tello