problem with remote syslog

1,185 views
Skip to first unread message

a.giud...@gmail.com

unread,
Jan 16, 2018, 6:26:47 AM1/16/18
to Wazuh mailing list
Hi, i have installed a wazuh server and elk stak and seems ok. Now on wazuh server i have configured a remote syslog from my firewall on port 514 protocol UDP but i don't see any log come to wazuh server.
The remote syslog from firewall works because i have tried to send a log on my pc and i see that.

the port on server is open

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 127.0.0.1:323           0.0.0.0:*
udp        0      0 0.0.0.0:514             0.0.0.0:*
udp        0      0 0.0.0.0:1514            0.0.0.0:*
udp6       0      0 ::1:323                 :::*

what's the problem?

thank you

Andrea

p.s: i use latest version on centos 7 OS

Marco

unread,
Jan 16, 2018, 9:10:31 AM1/16/18
to Wazuh mailing list
Hi Andrea,

Did you configured manager server in order to accept remote syslog connection?
In ossec.conf file on manager server, you must find the following section:

      <connection>syslog</connection>
    <allowed-ips>xxx.xxx.xxx.xxx</allowed-ips>
    <allowed-ips>xxx.xxx.xxx.xxx</allowed-ips>
  </remote>

Here you have to specify source ip from whitch you want accept syslog connection.

I hope this help
Marco

a.giud...@gmail.com

unread,
Jan 16, 2018, 11:08:21 AM1/16/18
to Wazuh mailing list
Hi, 

yes i have configured ossec.conf file

 <remote>
    <connection>syslog</connection>
    <port>514</port>
    <allowed-ips>10.39.0.x</allowed-ips>
    <allowed-ips>10.39.0.x</allowed-ips>
    <protocol>udp</protocol>
  </remote>

Jose Luis Ruiz

unread,
Jan 16, 2018, 12:51:40 PM1/16/18
to a.giud...@gmail.com, Wazuh mailing list

Hi A. 


If you don’t see any log doesn’t mean that the server is not working, maybe we don’t have rules and decoders for your specific firewall.

You can verify if you are receiving the logs enabling the "archives".

Edit the file ```/var/ossec/etc/ossec.conf```, modify ```<logall>no</logall>``` to ```<logall>yes</logall>``` and restart the service with ```/var/ossec/bin/ossec-control restart```

Now you will have a new file ```/var/ossec/logs/archives/archives.log```, this file has all raw logs from your agents, devices, etc., please review in this file if you have logs from your firewall.

If you have logs from your firewall in the archives.log probably Wazuh Ruleset has not decoders and rules for your firewall.

PD: Take care with keep enabled <logall>, this file can grow very fast and use a lot of space.


Regards
————————
José Luis Ruiz.
Wazuh Inc.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f58b30b7-6f85-49fd-8ba4-4f903454ffe9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

a.giud...@gmail.com

unread,
Jan 17, 2018, 6:26:09 AM1/17/18
to Wazuh mailing list
hi, sorry but it's my fault. remote syslog from firewall has always worked, the problem is that i never received any alter because there are not been any alter.

thanks

Andrea


Il giorno martedì 16 gennaio 2018 12:26:47 UTC+1, a.giud...@gmail.com ha scritto:
Reply all
Reply to author
Forward
0 new messages