Sentinel One Integration -- Connection refused

[christineIT]

Hello everyone, this is my first post on this channel (second attempt ;))
A week ago I have started working with Wazuh, and it looks like a tool . My first task has been to integrate sentinelone logs but I have encountered several issues.
I followed the following link

• Integrating SentinelOne XDR with Wazuh | Wazuh

First packages in the syslog-ng installation--> I had to uninstall and reinstall syslog-ng packages syslog-ng-core syslog-ng-mod-* and then change the version number in the file syslog-ng.conf
@version: 3.35
@include "scl.conf"

Ok. This part is resolved... great!!

sudo systemctl status  syslog-ng
● syslog-ng.service - LSB: Starting system logging daemon
     Loaded: loaded (/etc/init.d/syslog-ng; generated)
     Active: active (exited) since Thu 2024-06-20 15:54:25 UTC; 19h ago
       Docs: man:systemd-sysv-generator(8)
        CPU: 2ms

In the integration part of Sentinel One for TLS, the connection appears as rejected (attached image)...

but I do not identify errors or warning

INFO: Remote syslog allowed from: 'xxx.xxx.xxx.xxx'.
INFO: Started (pid: 522823). Listening on port 514/TCP (syslog).

In theory the protocol is done, and port 514 TCP is open and listen.

sudo netstat -tuln | grep :514
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN

ossec.conf
remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>tcp</protocol>
    <allowed-ips>xxx.xxx.xxx.xxx</allowed-ips> #Sentinel One IP
  </remote>

syslog-ng.conf 

#TLS Config
source s_network_tls {
    network(
        transport("tls")
        port(514)  # Specify the port to listen on for TLS connections
        tls(
            key-file("/etc/syslog-ng/key.pem")
            cert-file("/etc/syslog-ng/server-cert.pem")
            peer-verify(optional-untrusted)
        )
    );
};

destination d_tls_logs {
    file("/var/log/sentinelone.log"); # Path to save the logs received over TLS
};

log { source(s_network_tls); destination(d_tls_logs); };

 

Can anyone help me or provide steps to follow, please? 

Kind regards

[Matías David Mercado Aragonés]

Hi Christine,

I replied to you yesterday, but I don't know what happened with my message that has been deleted. Anyway, let me complete my tests of this tutorial on a local environment and I will be back to you. Here you have the list with the required ports for Wazuh https://documentation.wazuh.com/current/getting-started/architecture.html#required-ports.

Regards,
Matías.

[Matías David Mercado Aragonés]

Hi Christine, could you please try again to reproduce this error and check the log of sentinel? You can do this by typing:
# cat /var/log/sentinelone.log | grep -i "sentinel"

I would like to see the logs of sentinel to get more information about this connection error. Also, I would like to recommend checking any other external services that could be blocking this connection, as your firewall or any similar service.

You can also use the following command to test the connection over the port 514 between the 2 nodes:

# nc -vz <ip> 514

Regards,
Matías.

[christineIT]

Hello Matias ,

Thank you and sorry for the delay in providing an update. I was finally able to work at API level and that fixed the problem. By syslog could not get the connection. From the Wazuh side, the configuration was well executed, ports open, ng-syslog configuration, certificates etc. I don't know what happened but now I can work.

Thanks for your time