ESXi Syslogs

[Vincent Cervone]

Hi all -

New to Wazuh and recently starting my technical journey. I'm trying to get syslogs from ESXi into Wazuh but am getting the following error: wazuh-remoted: WARNING: (1213): Message from 'xxx.xxx.xx.xx' not allowed. Cannot find the ID of the agent.

ESXi would not have an agent installed so my assumption is that I need to go down the agentless route that's highlighted here. Can someone confirm if I'm going down the right path?

Thanks,

Vinny

[Mariano Koremblum]

Hi Vinny,

Could you please share with us the configuration (/var/ossec/etc/ossec.conf) that you are using to get the logs via Syslog?

I will be waiting for your reply,

Mariano Koremblum

​

[Vincent Cervone]

Please see attached

Thanks,

Vinny

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Q9gPVZVbIIg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7ac40f2b-42e9-4df3-96ee-fceb04b3b8b5n%40googlegroups.com.

[Mariano Koremblum]

May I ask what the rejected IP was? The one you have obfuscated, it would help to understand why is it not being allowed

I will be waiting for your reply,

Mariano Koremblum

[Mariano Koremblum]

Do you correctly get logs from such a device even when this message is logged to the `ossec.log`?

Please, let us know

[Vincent Cervone]

No. I get this: "wazuh-remoted: WARNING: (1213): Message from '192.168.6.11' not allowed. Cannot find the ID of the agent."

That is the IP of the ESXi host.

[Mariano Koremblum]

Hi Vinny,

After doing some research, it seems that the message is a little bit confusing. In this case, the agent ID has nothing to do with the error but the IP not being inside the acceptance range.

You have the following configuration to receive remote Syslog events:

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>192.168.0.0/24</allowed-ips>
  <local_ip>192.168.6.5</local_ip>
</remote>

This means that the event’s incoming IP must be in the range 192.168.0.0/24, which goes from 192.168.0.1 to 192.168.0.254. The IP that is being rejected (192.168.6.11) is not included on this subnet.

You can either adjust the starting IP (set it to 192.168.6.0/24) or increase the subnet range as follows: 192.168.0.0/16.

Please, let us know if it worked.

Kind regards,

Mariano Koremblum

​

[Vincent Cervone]

Good news! It's working! Thank you so much!

One last question, if I want to add another subnet would I make another section outlining the subnet like below or can I use a comma after 192.168.6.0/24followed by the new subnet?

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>

  <allowed-ips>192.xxx.xx.xx</allowed-ips>
  <local_ip>192.168.6.5</local_ip>
</remote>

Thanks,

Vinny

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/50e3af24-c893-4b64-a7c8-1fb042028d0dn%40googlegroups.com.

[Mariano Koremblum]

Great to know Vinny!

As for your question, you can add as much allowed-ips as you want, for example:

<remote>
  <connection>syslog</connection>
  <port>514</udp>
  <protocol>udp</protocol>
  <allowed-ips>192.168.1.0/24</allowed-ips>
  <allowed-ips>192.168.5.0/24</allowed-ips>
  <allowed-ips>192.168.32.0/24</allowed-ips>
  <local_ip>192.168.6.5</local_ip>
</remote>

I hope that my answer helps you! :)

Best regards,

Mariano Koremblum

​