Not able to receive syslog events for aruba switch

[Mani Bharathi]

Hi Team,

I want to monitor aruba switch events in wazuh. i have created the decoder, rules and it's working. i'm able to capture the switch events in syslog server but, i couldn't forward the events to wazuh. i'm missing something. please find the conf details below. kindly help me with this.

Sample Log

Feb 19 12:18:34 6200 log-proxyd[935] Event|5209|LOG_INFO|CDTR|1|User mani logged in from 192.168.20.7 through SSH session.
Feb 19 12:18:47 6200 log-proxyd[935] Event|5211|LOG_INFO|CDTR|1|User mani logged out of SSH session from 192.168.20.7.

Decoder File:

<decoder name="Switch_Events">
         <program_name>log-proxyd</program_name>       
</decoder>
<decoder name="Switch_Events1">
        <parent>Switch_Events</parent>
        <regex offset="after_parent">User (\.+) (\.+) of (\.+) session from (\.+)</regex>
        <order>user,event_message,console,ip</order>
</decoder>
<decoder name="Switch_Events1">
        <parent>Switch_Events</parent>
        <regex offset="after_parent">User (\.+) (\.+) from (\.+) through (\.+) session</regex>
        <order>user,event_message,ip,console</order>
</decoder>

Rules File:

<group name="Switch_Events,">

  <rule id="110000" level="0">
    <decoded_as>Switch_Events</decoded_as>
    <description>Switch_Events</description>
  </rule>

  <rule id="110001" level="5">
    <if_sid>110000</if_sid>
    <match>logged out of</match>
    <description>$(user) logged out via $(console) from $(ip)</description>
  </rule>

  <rule id="110002" level="5">
    <if_sid>110000</if_sid>
    <match>logged in from</match>
    <description>$(user) logged in from $(ip) via $(event_message)</description>
  </rule>

</group>

Ossec.conf (wazuh agent on syslog server)

  <localfile>
   <log_format>syslog</log_format>
   <location>/var/log/ODCSwitch.log</location>
  </localfile>

Ossec.conf (wazuh server)

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>192.168.8.0/24</allowed-ips>
  <local_ip>192.168.0.116</local_ip>
</remote>

Thanks!
Mani Bharathi K

[hasitha.u...@wazuh.com]

Hi Mani,

If you are collecting logs from Wazuh agent, then no need the syslog configuration on ossec.conf file.

1. <remote>
2.   <connection>syslog</connection>
3.   <port>514</port>
4.   <protocol>udp</protocol>
5.   <allowed-ips>192.168.8.0/24</allowed-ips>
6.   <local_ip>192.168.0.116</local_ip>
7. </remote>

As I can see you collect logs from an agent, and then if the agent is connected and active it will directly send to Wazuh manager.

1. <localfile>
2.    <log_format>syslog</log_format>
3.    <location>/var/log/ODCSwitch.log</location>
4.   </localfile>

However, your rules are working fine from my end and I can see them on the dashboard as well.


Also, I suggest doing the modification of your rules to see the username, I have noticed that while testing using /var/ossec/bin/wazuh-logtest, your log user name is decoded by dstuser. If you add user in decoder by default it will match to dstuser.
https://documentation.wazuh.com/current/user-manual/ruleset/testing.html#testing-decoders-and-rules



Therefore use dstuser instead of user in the rule description.

1. <rule id="110001" level="5">
2.     <if_sid>110000</if_sid>
3.     <match>logged out of</match>

1.     <description>$(dstuser) logged out via $(console) from $(ip)</description>

1.   </rule>
2.  
3.   <rule id="110002" level="5">
4.     <if_sid>110000</if_sid>
5.     <match>logged in from</match>

1.     <description>$(dstuser) logged in from $(ip) via $(event_message)</description>
2.   </rule>

If you cannot see these logs in the dashboard, I suggest you check the archives.json logs, Then you can verify logs reaching Wazuh manager.
You can enable archive JSON format log from your manager's ossec.conf
<ossec_config>
  <global>
___________________
    <logall_json>yes</logall_json>
_______________
After making the changes make sure to restart the manager.
systemctl restart wazuh-manager

Look for if there are any logs inside the archive log which is relevant. Use grep parameters related to the log.
cat /var/ossec/logs/archives/archives.json | grep "part of your log"

Note: Don't forget to disable the logall parameter once you have finished troubleshooting.
Leaving it enabled could lead to high disk space consumption.
Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json

Also, check on the  Wazuh agent side it will read the file by running this command.
cat /var/ossec/logs/ossec.log | grep -i -E "wazuh-logcollector" 

Further, you can learn more about Wazuh custom rules, you can refer to this.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Let me know the update on this to check further.

Regards,
Hasitha Upekshitha

[Mani Bharathi]

Hi  Hasitha,

Thanks a lot for your support.

I did the changes you mentioned. 

I able to receive the logs in archives.json file.

{"timestamp":"2025-02-19T11:08:37.570+0000","agent":{"id":"028","name":"Server1","ip":"192.168.20.7"},"manager":{"name":"wazuh.manager"},"id":"1739963317.1324511426","full_log":"Aruba-logs: Feb 19 16:38:35 6200 log-proxyd[935] Event|5209|LOG_INFO|CDTR|1|User mani logged in from 192.168.20.7 through SSH session.","decoder":{},"location":"/var/log/ODCSwitch.log"}
{"timestamp":"2025-02-19T11:08:41.574+0000","agent":{"id":"028","name":"Server1","ip":"192.168.20.7"},"manager":{"name":"wazuh.manager"},"id":"1739963321.1324652123","full_log":"Aruba-logs: Feb 19 16:38:39 6200 log-proxyd[935] Event|5211|LOG_INFO|CDTR|1|User mani logged out of SSH session from 192.168.20.7.","decoder":{},"location":"/var/log/ODCSwitch.log"}

and the wazuh agent also read the file:

2025/02/19 12:44:30 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/ODCSwitch.log'.

But, i'm not able to see the event in dashboard or i don't know how to view this. can you please help me. i'm using discover option to view the events on the agent (syslog configured server).



Thanks!
Mani Bharathi K

[hasitha.u...@wazuh.com]

Hi Mani,

I reviewed your full log and noticed that you need to test the following part.

Aruba-logs: Feb 19 16:38:39 6200 log-proxyd[935] Event|5211|LOG_INFO|CDTR|1|User mani logged out of SSH session from 192.168.20.7.

The one you previously tested and created decoders and rules do not match with this log that's, why it's not triggered.

However, I have modified your decoders and rules to extract and trigger properly.
Replace this decoder with your existing decoders.

1. <decoder name="Switch_Events">
2.          <prematch>Aruba-logs</prematch>

1. </decoder>
2.  
3. <decoder name="Switch_Events1">
4.         <parent>Switch_Events</parent>

1.         <regex>User (\.+) (\.+) of (\.+) session from (\.+)</regex>

1.         <order>user,event_message,console,ip</order>
2. </decoder>
3.  
4. <decoder name="Switch_Events1">
5.         <parent>Switch_Events</parent>
6.         <regex offset="after_parent">User (\.+) (\.+) from (\.+) through (\.+) session</regex>
7.         <order>user,event_message,ip,console</order>
8. </decoder>

Then replace these rules with your current Aruba rules.

1. <group name="Switch_Events,">
2.  
3.   <rule id="110000" level="0">
4.     <decoded_as>Switch_Events</decoded_as>
5.     <description>Switch_Events</description>
6.   </rule>
7.  
8.   <rule id="110001" level="5">
9.     <if_sid>110000</if_sid>
10.     <match>logged out of</match>

1.     <description>$(dstuser) logged out via $(console) from $(ip)</description>
2.   </rule>
3.  
4.   <rule id="110002" level="5">
5.     <if_sid>110000</if_sid>
6.     <match>logged in from</match>
7.     <description>$(dstuser) logged in from $(ip) via $(event_message)</description>
8.   </rule>
9.  

1. </group>

Further, you can learn more about Wazuh custom rules, you can refer to this.

https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Let me know the update on this to check further.

Regards,
Hasitha Upekshitha

[Mani Bharathi]

Hi Hasitha,

Thank a lot for your time and support. you saved me. It's worked!.

I'm going to create the alert for other events. if any issue i will post here. Thanks.

Thanks!
Mani Bharathi K

[hasitha.u...@wazuh.com]

Hi Mani,

I am glad that your issue has been resolved. Let me know if you need further assistance on this.

Regards,
Hasitha Upekshitha

[Mani Bharathi]

Hi Hasitha,

I've 20+ switches in my network. i tried to create the alert for each switch. seems we need to create separate  decoder and rule file with unique rule ID. it's very difficult manage. 

we enabled hostname in logs. is it possible to get the switch hostname in dashboard with minimum effort. the main goal is we need to see where the alert came from. all the switches are same model. can you please help me with this?

Aruba-logs: Feb 21 12:25:57 SW2050 log-proxyd[906] Event|5209|LOG_INFO|CDTR|1|User mani logged in from 192.168.20.7 through SSH session.

SW2050 is a hostname of switch.

Thanks!
Mani Bharathi K

[Mani Bharathi]

Hi Hasitha,

Can you please help me with this?

Thanks!

[hasitha.u...@wazuh.com]

Hi Mani,

You can add this decoder to extract the Hostname field by using this regex pattern.

1. <decoder name="Switch_Events2">
2.         <parent>Switch_Events</parent>
3.         <regex>Aruba-logs: \S+ \d+ \d+:\d+:\d+\s(\S+)\s</regex>
4.         <order>Hostname</order>
5. </decoder>

Further, you can learn more about Wazuh custom rules, you can refer to this.

https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

Let me know if you need further assistance on this.

Regards,
Hasitha Upekshitha

[Mani Bharathi]

Hi Hasitha,

Thanks a lot for your support. my issue has resolved now.

Thanks!

[hasitha.u...@wazuh.com]

Hi Mani,

I am glad that your issue has been resolved!

Regards,
Hasitha Upekshitha

[MS Mum]

Hello!

I am facing the same issue. I am using the same last config as by Hasitha. 

I can see the logs in sudo cat /var/ossec/logs/archives/archives.json 

sudo cat /var/ossec/logs/archives/archives.json | grep "logged in"

switch6200 log-proxyd[799] Event|5209|LOG_INFO|CDTR|1|User UserX logged in from 10.x.x.x through SSH session.","predecoder":{"program_name":"log-proxyd","timestamp":"2025-11-06T14:43:29.415561+01:00"},"decoder":{},"location":"/var/log/aruba.log"}

But I dont see the log in the dashboard.

My log test doest work as well.

sudo /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.0
Type one log per line

logged in

**Phase 1: Completed pre-decoding.
        full event: 'logged in'

**Phase 2: Completed decoding.
        No decoder matched.

Looking forward for help.

Thanks