syslog to wazuh dashboard

116 views
Skip to first unread message

Giampearo Peter

unread,
Jun 26, 2024, 6:27:36 AM6/26/24
to Wazuh | Mailing List
Hi,

I seek your advice and guidance on achieving my goals.

My aim is to collect logs via syslog and display them on the dashboard. The process involves various VMs, such as database and firewall systems, sending logs to XX.XX.100.68, which serves as a syslog server. This server will then forward all logs to the Wazuh dashboard.

I'm new to this field and would like to know how to get started. One challenge I anticipate is converting plain text logs to pure JSON for better readability.

In our environment, I've set up a Wazuh lab following the QuickStart guide and configured it with NGINX (with Brotli support). NGINX is running on port 5601, while the dashboard operates on port 5602.

Could you provide some directions for me? Your assistance would be greatly appreciated.

Thank you!

Abdullah Al Noman

unread,
Jul 1, 2024, 6:27:05 AM7/1/24
to Wazuh | Mailing List
Hello Giampearo,

I would advise you to take a look at the Wazuh architecture and its list of ports required to function properly. You can easily install and configure Wazuh agents to collect logs from different sources. Wazuh has built-in rules and decoders to deal with most of the security logs. Additionally, Wazuh has strong JSON decoders. So, if you ingest JSON logs to the Wazuh server, it should be decoded with no additional configuration. 
You can additionally follow this guide forward syslog events for syslog events.

Let me know, if you have further queries.

Regards,

Giampearo Peter

unread,
Jul 8, 2024, 3:59:52 AM7/8/24
to Wazuh | Mailing List
Thanks! Got it! I also noticed that v4.8 has a lot of inaccurate guidance or documentation - some of the guidance/commands is not accurate. For example, this link is not exist : 
curl -so template.json https://raw.githubusercontent.com/wazuh/wazuh/4.8/extensions/elasticsearch/7.x/wazuh-template.json 

After I upgraded to v4.8, it seems wazuh failed to obtain the index pattern, so I needed a template for this to be uploaded. However, the link above which I obtained from here : 
https://documentation.wazuh.com/current/user-manual/wazuh-indexer/wazuh-indexer-indices.html 

is invalid. so when I tried to add my-custom-alerts, the file itself is EMPTY. image_2024-07-03_121321847.png .
So I restore the snapshot of wazuh server which back to v4.7, then I try to upgrade again, I failed to find wazuh-archive.

Last question, is there any link/forums/documentations that helps in term of visualization logs into the dashboard as well?

Thanks!

Abdullah Al Noman

unread,
Jul 8, 2024, 6:04:14 AM7/8/24
to Wazuh | Mailing List
Hello Giampearo,

Thanks for bringing these issues with us. We are continuously updating our internal documentation and hope to address your concerns very soon.

You might be looking for this creating custom dashboards - Wazuh dashboard guide to visualize your logs the way you want. 

Regards,
Reply all
Reply to author
Forward
0 new messages