Connecting logstash to wazuh via syslogs

[Sathya Bhat]

Hello team, i am facing an issue with consuming syslog events in wazuh manager [running in a vm instance], the syslog events are being generated from logstash [which is running in a separate vm]Config:
Logstash config(logstash.conf):

input { stdin { } } filter{ mutate{ add_field => {"Tid" => "Hello_world"} add_field => {"log_type" => "logstash"} } } output { syslog{ host => "10.xx.xx.xx" #wazuh ip port => 514 protocol => "tcp" } stdout{} file { path => "~/tmp/test" } }

Wazuh manager ossec syslog config (in ossec.conf):

<remote> <connection>syslog</connection> <port>514</port> <protocol>tcp</protocol> <allowed-ips>0.0.0.0/0</allowed-ips> <ipv6>yes</ipv6> </remote>

We have installed Syslog output plugin on logstash to ensure that it sends data via syslogs
Both the vms are in the same vpc and subnet,
On executing sudo netstat -nputw on the logstash instance it shows that it sent a syn request to wazuh and was awaiting an ack (with tcp6 protocol).
On executing sudo netstat -plnt on wazuh instance it shows that it is listening on port 514 with protocol tcp6.Error on logstash:

[2024-07-09T06:41:04,016][WARN ][logstash.outputs.syslog ][main][5c9b478c8ee78ffb13e22e8bc71d67ff2bc13e76bd701afe0df050e4973c0498] syslog tcp output exception: closing, reconnecting and resending event {:host=>"10.xx.xx.xxx", :port=>514, :exception=>#<Errno::ECONNREFUSED: Connection refused - connect(2) for "10.xx.xx.xx" port 514>, :backtrace=>["org/jruby/ext/socket/RubyTCPSocket.java:134:in `initialize'", "org/jruby/RubyIO.java:876:in `new'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:209:in `connect'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:177:in `publish'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-codec-plain-3.1.0/lib/logstash/codecs/plain.rb:59:in `encode'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:48:in `block in encode'", "org/logstash/instrument/metrics/AbstractSimpleMetricExt.java:65:in `time'", "org/logstash/instrument/metrics/AbstractNamespacedMetricExt.java:64:in `time'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:47:in `encode'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:147:in `receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:105:in `block in multi_receive'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:105:in `multi_receive'", "org/logstash/config/ir/compiler/OutputStrategyExt.java:143:in `multi_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"], :event=>#<LogStash::Event:0x60effab9>}

I am currently not sure where the issue is, as all traffic is allowed in terms of firewall rules, thanks in advance for the help.

[Federico Ramos]

Hi,

After replicating the steps in a local environment (Wazuh Version 4.8.0) I couldn´t replicate your error. I reviewed your `logstash.conf` and `ossec.conf` (The parts you sent) and they seem and work fine in my environment. Maybe you are missing some of the following steps:

- One of the possible causes is when the logstash doesn´t have the required permission and the connection is refused. Did you follow this step and run this command in the installation?
`sudo chmod -R 755 </PATH/TO/LOCAL/ELASTICSEARCH/CERTIFICATE>/root-ca.pem` (Documentation: https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html#id1)

- Did you follow these steps and validate the configuration described in https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html#id4? Or is this command the one that leaves you this error?

- You didn't add the `<local_ip` tag with the IP address of the Wazuh server listening for incoming log messages. Have you tried to add it?

In the meantime, I'm going to check with the team to see if they can find anything we're missing.

[Sathya Bhat]

Hi,

The version of wazuh we are using is v4.7.2, and we were trying to follow the suggestions provided in for ingesting logs located in our logstash instance->https://groups.google.com/g/wazuh/c/fSTph3SqGXg/m/udFQPzSMBAAJ 

Where 2 options were provided for ingesting logs from logstash into wazuh, which are the following:

1. Make logstash output into a temp file and make a wazuh agent ingest the temp file [this method is working properly]
2. Install the output-to-syslog plugin in logstash and consume the syslogs in wazuh. 

We had initially added the local-ip tag and gave an internal ip, then we gave a public ip for the same, still no communication between the 2 VMs. we are confused if the issue is us misconfiguring wazuh or logstash or we might have misconfigured our GCP environment.

[Sathya Bhat]

hi,

This issue has been resolved. Turns out the issue was that both the VMs were in different subnets, and the firewall rules implemented prevented the wazuh vm from communicating with the other vm, corrected that and now it is working as expected. Thanks for the support.