ubuntu and rsyslog marked as failed

54 views
Skip to first unread message

Paulo Ricardo Bruck

unread,
Aug 21, 2025, 9:57:23 AMAug 21
to Wazuh | Mailing List
Hello

Using Ubuntu 24.04 and wazuh 4.12.0-1

35721 Ensure rsyslog is not configured to receive 

Checks (Condition: all)
d:/etc/rsyslog.d -> r:\.*.conf -> r:^\s*\t*input\(type="imtcp" port="514"\)
d:/etc/rsyslog.d -> r:\.*.conf -> r:^\s*\t*module\(load="imtcp"\)
f:/etc/rsyslog.conf -> r:^\s*\t*input\(type="imtcp" port="514"\)
f:/etc/rsyslog.conf -> r:^\s*\t*module\(load="imtcp"\)

at my computer :
# grep imtcp /etc/rsyslog.conf  
# grep imtcp /etc/rsyslog.d/*
#

There is nothing about imtcp. What am I missing?

thanks in advanced





Alexander Bohorquez

unread,
Aug 21, 2025, 10:22:00 AMAug 21
to Wazuh | Mailing List
Hello Paulo, 

I see you're referring to running Wazuh SCA on Ubuntu 24.04 using Wazuh 4.12.0-1.

Specifically, regarding the check: "Ensure rsyslog is not configured to receive logs from a remote client." Am I correct?

According to what you checked on your endpoint, you're not loading the imtcp module.

I'd like to know what result you're getting in the Wazuh SCA check. Is it displayed as "Failed" or "Passed"? I'd like a little more information to help you.

I'd like to take this opportunity to share some information about how the SCA module works:

https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-it-works.html

Paulo Ricardo Bruck

unread,
Aug 21, 2025, 4:59:40 PMAug 21
to Wazuh | Mailing List
Hi Alexander.

My bad. I forgot to mention that test 35721 is marked as failed to me...

35721 Ensure rsyslog is not configured to receive logs from a remote client.  File: /etc/rsyslog.conf  Failed

and no "imtcp" is  found under /etc/rsyslog.conf or etc/rsyslog.d/*

humm reading this check as example:
f:/etc/rsyslog.conf -> r:^\s*\t*input\(type="imtcp" port="514"\)

Correct me if I am wrong:
chech file /etc/rsyslog.conf
verify it file contain input(type="imtcp" port="514")
my /etc/rsyslog.conf does not contain "imtcp" ...

Well all checks are done and none of the contains "imtcp"

IMHO, shoulnd't be something like this?

Checks (Condition: all)
not d:/etc/rsyslog.d -> r:\.*.conf -> r:^\s*\t*input\(type="imtcp" port="514"\)
not d:/etc/rsyslog.d -> r:\.*.conf -> r:^\s*\t*module\(load="imtcp"\)
not f:/etc/rsyslog.conf -> r:^\s*\t*input\(type="imtcp" port="514"\)
not f:/etc/rsyslog.conf -> r:^\s*\t*module\(load="imtcp"\)

Because imtcp means that rsyslog is capable of receiving logs to other servers......

best regards

Jorge Fabiano Núñez García

unread,
Sep 24, 2025, 7:03:07 AM (4 days ago) Sep 24
to Wazuh | Mailing List

Hi Paulo,


Thanks for the clarification.


For check 35721, the correct condition is none. This condition means the check passes only when none of its rules match. With this change, the check passes when rsyslog has no active imtcp configuration, matching the control’s intent.


If you manage it from the agent, edit the sca file at /var/ossec/ruleset/sca/cis_ubuntu_linux_24.04.yml.  If you use centralized policies from the Manager, apply the change there.


Please update the condition field to none in check 35721. It should look like this:


     condition: none

     rules:

      - 'f:/etc/rsyslog.conf -> r:^\s*\t*module\(load="imtcp"\)'

      - 'd:/etc/rsyslog.d -> r:\.*.conf -> r:^\s*\t*module\(load="imtcp"\)'

      - 'f:/etc/rsyslog.conf -> r:^\s*\t*input\(type="imtcp" port="514"\)'

      - 'd:/etc/rsyslog.d -> r:\.*.conf -> r:^\s*\t*input\(type="imtcp" port="514"\)'


We already identified the issue and are reviewing the fix for the next Wazuh release.


Reference documentation:

Reply all
Reply to author
Forward
0 new messages