Where do I view syslogs in Kibana

Adam D.G

unread,

Apr 2, 2019, 7:14:52 AM4/2/19

to Wazuh mailing list

Hi,

Im just trying to understand how syslogging works with Wazuh. I have it enabled and set to accept logs from a management network of network devices.

I have a cisco switch sending logs to my wazuh manager. Can I view these syslogs in Kibana, and how do I do so?

Kind Regards,

Adam

Juan Carlos

unread,

Apr 2, 2019, 9:10:24 AM4/2/19

to Wazuh mailing list

Hi Adam,

In order to diminish the amount of noise and increase the visibility of relevant information, all log messages (including syslog) are analyzed with the decoders and rules part of the Wazuh Ruleset to determine if they should be logged, with which level, groups and if any other action should be taken (i.e. email alerts, active-response, integrations, etc).

Given that new devices and software are constantly being created, Wazuh was designed to allow a high degree of customization.
You may easily create decoders and rules for any device that isn't logged by our default ruleset. More information on how to customize the ruleset can be found here:

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

If you wish to see all messages you may create a rule that catches all messages from a specific location:

<group name="cisco,custom,">
  <rule id="100002" level="5">
    <location>[cisco_switch_IP]</decoded_as>
    <description>Message from Cisco Switch</description>
  </rule>
</group>

I hope this helps,

Juan Carlos Tello

Juan Carlos

unread,

Apr 2, 2019, 9:56:55 AM4/2/19

to Wazuh mailing list

Hi Adam,

Sorry, I made a mistake on the rule.

The correct rule would be:

<group name="cisco,custom,">
  <rule id="100002" level="5">


    <location>[cisco_switch_IP]</location>


    <description>Message from Cisco Switch</description>
  </rule>
</group>

Best Regards,

Juan Carlos Tello

On Tuesday, April 2, 2019 at 3:10:24 PM UTC+2, Juan Carlos wrote:

Hi Adam,

In order to diminish the amount of noise and increase the visibility of relevant information, all log messages (including syslog) are analyzed with the decoders and rules part of the Wazuh Ruleset to determine if they should be logged, with which level, groups and if any other action should be taken (i.e. email alerts, active-response, integrations, etc).

Given that new devices and software are constantly being created, Wazuh was designed to allow a high degree of customization.
You may easily create decoders and rules for any device that isn't logged by our default ruleset. More information on how to customize the ruleset can be found here:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

If you wish to see all messages you may create a rule that catches all messages from a specific location:

<group name="cisco,custom,"> <rule id="100002" level="5">

<location>[cisco_switch_IP]</location>

<description>Message from Cisco Switch</description> </rule> </group>

Reply all

Reply to author

Forward