Want to Add Sophos XG Firewall and Fortinet Firewall
Namdev Pawar
Juan Emiliano Fontana
Hi Namdev, hope you are doing well today and thanks for using Wazuh!
The method to receive logs from these devices in Wazuh is through syslog. To do this please follow the following steps:
First of all, you will include this block in the local configuration of your Wazuh Manager:
Through Web interface: Wazuh > Management > Configuration > Edit configuration
Insert the following block inside the configuration:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>10.0.0.0/24</allowed-ips>
<local_ip>10.0.0.1</local_ip>
</remote>
Once you save the configuration you will need to restart the manager. You can do this by clicking on the "Restart Manager" icon on the top right of the screen or you could do it through command line with the following command: systemctl restart wazuh-manager.
Some notes about the <remote> keys:
Usually, Syslog messages are sent to port 514 via UDP , It can be modified, but please remember that it has to match the configuration of the syslog devices configuration.
The tag local_ip indicates the manager IP. If the IP is IPv6, the configuration must contain the tag ipv6 instead of local_ip. It can’t contain both.
The <allowed-ips> key allows Wazuh to receive messages in Syslog format from any IP belonging to the 10.0.0.0/24 network, you will need to change this information according to your network setting. You can find more information about the <remote> configuration in here.
The following steps is to configure the syslog output on your network devices.
Please review the following guides :
For Fortigate: https://help.fortinet.com/fadc/4-5-1/olh/Content/FortiADC/handbook/log_remote.htm
Once you finished this steps, you can inspect the network activities in the manager using tcpdump command to check if the syslog messages are reaching your manager (insert the right values for protocol, port and src):
· tcpdump -i any udp port 514 and src 10.0.0.2
You can also activate <logall_json> (changing no with yes) in the ossec.conf in the manager (must restart the service to apply changes) to see in archives every log reaching the manager and also what it is doing with each log. Once you have activated logall_json you can see new logs arriving at the manager with tail command:
· tail -f /var/ossec/logs/archives/archives.json
Also you can grep there for a specific data like an IP address:
· grep '10.0.0.2' /var/ossec/logs/archives/archives.json
Let me know how it went.
Best regards!
Emiliano Fontana
Security Engineer — Wazuh, Inc.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2dcbced6-0ad7-4394-95ea-f579245f3d4cn%40googlegroups.com.
Namdev
Hi Juan Emiliano Fontana,
I have done all settings as per your mail.
But still, I don't get any logs on wazuh.
Given below snapshots of the configuration of Sophos firewall as well as wazuh Manager for your reference.. Please let me know if there is something is missing in the configuration.
Settings done in Sophos Firewall.
Setting done in Wazuh Manager – Ossec.conf file.
Please suggest ASAP.
Sent from Mail for Windows
Juan Emiliano Fontana
Hi Namdev, sorry for the late response.
It seems that the configuration of the manager is the correct one.
First, let’s check if the syslog events are in the archives.json , in order to review this please run the following command:
· grep 'IP-Syslog-device' /var/ossec/logs/archives/archives.json
If you are not seeing events in the archives, please run tcpdump on you manager:
· tcpdump -i any udp port 514 and src 'IP-Syslog-device'
Let me know the results of both tests.
Best regards!
Fahmi Azlan
Juan Emiliano Fontana
Hi Fahmi, sorry for the late response.
Once you verified that the logs reached the Wazuh Manager with the provided steps, you can check the alerts on Security Events module:
In this particular case I have a syslog connection with a VMWare ESX server and a Samba software. Take in consideration that the logs are reaching directly to the Wazuh Manager, so instead of viewing the events as if they were an agent, they would be viewing them as if they were the manager's. If you need see the events as if were from an agent you could deploy a server with Rsyslog + the Wazuh agent , forward the syslog logs from your network devices to the Rsyslog server and through Log collection collects the logs and send them to the Wazuh manager.
If you verified that the logs reached the Wazuh Manager but it is not triggering any alerts, this may be due to the lack of decoder/rules. You can easily check if we have rules/decoder for the logs using our wazuh-logtest tool.
First run the tool /var/ossec/bin/wazuh-logtest and paste the syslog log
If we have a rule/decoder for the log, you should see an output similar to the following one:
**Phase 3: Completed filtering (rules).
id: '70021'
level: '5'
description: 'Traffic Denied: from 11.22.33.44 to 44.33.22.11'
groups: '['sophos-fw']'
firedtimes: '1'
mail: 'False'
In which the “id” would be the alert triggered in the Wazuh manager.
If you have an output similar to the following one:
**Phase 2: Completed decoding.
No decoder matched.
This mean that we don’t have a decoder for the log, in this case you will need to create a custom decoder/rule for the required log. You will find more information in here.
Let me know if you need further assistance.
Best regards!
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9fa78be3-a209-4b51-a447-11e90e1323fbn%40googlegroups.com.