Best approach to collect network device syslog in Wazuh (Healthcare environment)

20 views
Skip to first unread message

Chi Bùi Quỳnh

unread,
5:11 AM (19 hours ago) 5:11 AM
to Wazuh | Mailing List

Hi everyone,

I’m a beginner with Wazuh and would really appreciate your guidance.

Currently, I am working on a healthcare customer environment with the following setup:

  • 30 Virtual Machines

  • 10 Physical servers

  • 10 Network devices (firewall, router, switch, etc.) in the data center

My goal is to collect syslog from network devices into Wazuh for security monitoring and compliance.

As far as I understand, there are two common ways to send syslog to Wazuh:

  1. Sending syslog directly to the Wazuh Manager

  2. Sending syslog to a dedicated syslog server (rsyslog/syslog-ng) and then forwarding logs to Wazuh

My concerns:

  • Which approach is more suitable and scalable for this environment?

  • Which option is recommended for healthcare environments (performance, reliability, compliance)?

  • Are there any best practices for handling network device logs in Wazuh at this scale?

Additionally, from a deployment perspective:

  • What requirements or prerequisites should I ask the customer to prepare?

  • What would be a reasonable scope of work (SoW) for deploying this logging service (infrastructure, configuration, testing, handover)?

Any advice, references, or real-world experience would be extremely helpful.
Thank you in advance for your support!

Ifeanyi Onyia Odike

unread,
11:53 AM (12 hours ago) 11:53 AM
to Wazuh | Mailing List
Hello Chi Bùi Quỳnh

To answer your questions:

  • Which approach is more suitable and scalable for this environment?

  • Which option is recommended for healthcare environments (performance, reliability, compliance)?

Send to a dedicated syslog server (rsyslog/syslog-ng) and then forward the logs to Wazuh.
I recommend this method so that troubleshooting syslog failures can be done easily from a single central point rather than from the Wazuh server itself.

  • Are there any best practices for handling network device logs in Wazuh at this scale?
There are no specific best practices for handling network device logs. However, I recommend checking the Wazuh indexer server storage regularly to ensure you have enough resources to manage the logs you receive on a weekly and monthly basis. I also recommend understanding the Wazuh indexer retention flow, as this will help guide your retention policy for the setup.


  • What requirements or prerequisites should I ask the customer to prepare?

For hardware/resource requirements, I recommend the Wazuh hardware guide. An 8 vCPU, 8GB RAM, and 200GB storage server would be sufficient for your current setup, allowing you to store logs for up to 90 days. Depending on future projections, can always scale your Wazuh server and Indexer to allow for load balancing and reliability. The following guides will help you with that:

a. Wazuh server cluster - Specifically adding Adding Wazuh server nodes section
b. Wazuh indexer cluster - Specifically Adding Wazuh indexer nodes section


  • What would be a reasonable scope of work (SoW) for deploying this logging service (infrastructure, configuration, testing, handover)?

Infrastructure
1. Design and document the target architecture (syslog server, Wazuh manager/indexer, network flows, ports) with the already existing infrastructure, network devices, and firewalls.
2. Provision servers and storage (e.g., dedicated syslog VM) and ensure connectivity from all 10 network devices.

Configuration
1. Configure the dedicated syslog service (rsyslog/syslog‑ng) to receive logs from all network devices

Testing and validation
1. Create and execute test cases per device type (firewall, router, switch, etc.) to verify logs are received, correctly parsed, searchable, and trigger expected security alerts/use cases.
2. Validate performance and stability (log volume, latency, disk growth over a pilot period - say a month) and adjust storage or scaling plans.

Handover and documentation
1. Deliver documentation covering architecture, data flows, configuration details (syslog server and Wazuh), operational runbooks (health checks, troubleshooting, common failures), and backup/retention procedures.
2. Provide an admin/operator handover session for the customer’s team, including basic training on how to onboard new devices and monitor capacity.

Regards,
Reply all
Reply to author
Forward
0 new messages