Tag field in syslog events

[Pedro Agudo]

Hi 
I am using the rsyslog service of an intermediate proxy to centralize the secure sending of events from different Sophos UTM and XG firewalls to our Wazuh server.

 
The rsyslog service saves the events in a different file depending on their origin and the wazuh agent installed on the proxy reads each of the files and forwards them to the server. To do this in the ossec.conf I have a group <localfile> </localfile> for each file

<localfile>
    <log_format>syslog</log_format>
    <location>/custom/file/path</location>
</localfile>

The system works correctly, but in wazuh I have problems to distinguish the origin of each event, because the agent is always the proxy agent.
Is it possible that the wazuh agent adds a tag to each event according to the file from which it reads it and, without having to change the current decoders, the tag is a new field by which a user can search ?

Thanks

[Carlos Vendrell]

Hello Pedro,

Thanks for your question,

You have the option to create a report specifically for the Firewalls by using a filter. 

For instance, if you're receiving firewall syslog according to the instructions in this documentation:

• Wazuh - Syslog 

In this case, the 'location' field will contain the file where these events are stored. You can use this field as a filter. If the events are sent directly from the network devices to the Wazuh Server, you'll find the device's IP address in that field. I'll attach a screenshot for reference:

Another option, perhaps a bit more advanced, would be to edit the pipeline to generate a specific field based on that location, if you'd like to explore this alternative, you can check out the Wazuh Pipeline on GitHub:

• pipeine.json | Wazuh Github

You can find it on your server at: 

• /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json

I recommend approaching this pipeline modification alternative with caution as this configuration affects how the information is indexed.

Hope it helps,
Carlos