syslog configuration and parsing
118 views
Skip to first unread message
Udi Moshe
Sep 18, 2023, 10:12:50 AM9/18/23
to Wazuh | Mailing List
Hi,
assuming that i am installing wazuh offline and on 2 vm's. 1 for the server and 1 for indexer\dashboard. i am installing the regular components.
what is the procedure for creating a syslog listener and how does it know how to correctly parse the syslog ? for example, cisco catalyst switch
Francisco Tuduri
Sep 18, 2023, 10:45:57 AM9/18/23
to Wazuh | Mailing List
Hi Udi!
To have the Wazuh server receive events via syslog you will use the LogCollector module: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html.
In addition to reading log events from local files, this module can also receive syslog messages from devices that do not support the installation of Wazuh agents.
To understand how to configure syslog on the Wazuh server please refer to this documentation: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
Basically, you have to add a configuration block like the following in the ossec.conf file of the Wazuh Server:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
You can find more details about each of these fields in the reference for the <remote> configuration: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html
As far as the second part of your question, the Wazuh server then analyzes the collected logs in real time using decoders and rules. Wazuh extracts relevant information from the logs and maps them to appropriate fields using decoders. Then it tries to match these decoded events with the existing rules. If the event matches one of these rules then an alert is generated.
Wazuh comes with an extensive set of decoders and rules. You can explore them here and here.
I don't see any decoder/rule referencing specifically cisco catalyst in the default ruleset. However it is possible that these logs could match existing decoders/rules. There are many decoder/rules for cisco products. To verify this you can use the Wazuh logtest tool. You pass it a sample log and the tool will analyze it as if it were a real event, with this you can see if the event is decoded correctly and whether any rule matches. You can also use this tool to rest any custom decoder/rule that you may create.
To have the Wazuh server receive events via syslog you will use the LogCollector module: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html.
In addition to reading log events from local files, this module can also receive syslog messages from devices that do not support the installation of Wazuh agents.
To understand how to configure syslog on the Wazuh server please refer to this documentation: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
Basically, you have to add a configuration block like the following in the ossec.conf file of the Wazuh Server:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
Note that the allowed-ips label is mandatory. The configuration will not take effect without it.
As far as the second part of your question, the Wazuh server then analyzes the collected logs in real time using decoders and rules. Wazuh extracts relevant information from the logs and maps them to appropriate fields using decoders. Then it tries to match these decoded events with the existing rules. If the event matches one of these rules then an alert is generated.
Wazuh comes with an extensive set of decoders and rules. You can explore them here and here.
In case none of the decoders and/or rules cover your use case, the ruleset can be extended and customized with custom rules and decoders, as explained here: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
I don't see any decoder/rule referencing specifically cisco catalyst in the default ruleset. However it is possible that these logs could match existing decoders/rules. There are many decoder/rules for cisco products. To verify this you can use the Wazuh logtest tool. You pass it a sample log and the tool will analyze it as if it were a real event, with this you can see if the event is decoded correctly and whether any rule matches. You can also use this tool to rest any custom decoder/rule that you may create.
Regards!
Udi Moshe
Sep 18, 2023, 11:05:11 AM9/18/23
to Wazuh | Mailing List
Hi Francisco,
thank you for the elaborated answer. i will take the to read an learn.
Regards,
Reply all
Reply to author
Forward
0 new messages