Multiple protocol syslog configuration

156 views
Skip to first unread message

Robert A

unread,
Dec 1, 2022, 6:22:04 AM12/1/22
to Wazuh mailing list
Hello dear community, I've got simple question but it's not that straight forward to understand by reading docs - this is mentioned as "configuration blocks" which is not clear if docs says about <remote> or <protocol>. 

I want to configure <remote> for syslog on both TCP and UDP.

Should config looks like this (2 x <protocol>):

<remote> 
  <connection>syslog</connection> 
  <port>514</port> 
  <protocol>tcp</protocol> 
  <protocol>udp</protocol>
  <allowed-ips>192.168.1.0/24</allowed-ips> 
  <local_ip>192.168.1.5</local_ip> 
</remote>

Or this (2 x <remote> configs):

<remote> 
  <connection>syslog</connection> 
  <port>514</port> 
  <protocol>tcp</protocol> 
  <allowed-ips>192.168.1.0/24</allowed-ips> 
  <local_ip>192.168.1.5</local_ip> 
</remote>

<remote> 
  <connection>syslog</connection> 
  <port>514</port> 
  <protocol>udp</protocol>
  <allowed-ips>192.168.1.0/24</allowed-ips> 
  <local_ip>192.168.1.5</local_ip> 
</remote>

I'd appreciate your support, thanks :)

Andres Micalizzi

unread,
Dec 1, 2022, 6:48:08 AM12/1/22
to Wazuh mailing list
Hi Robert.
You can use one remote block with one protocol tag, and both protocols separated by a comma, like this:

<remote> 
  <connection>syslog</connection> 
  <port>514</port> 
  <protocol>tcp, udp</protocol> 
  <allowed-ips>192.168.1.0/24</allowed-ips> 
  <local_ip>192.168.1.5</local_ip> 
</remote>

For more details, you can check the Remote configuration reference, here.
I hope this helps you out. In case of any further doubt, do not hesitate to ask.
Cheers.

Robert A

unread,
Dec 1, 2022, 7:20:05 AM12/1/22
to Wazuh mailing list
Hey, you sure? Because as we read in referenced doc, for <protocol> there's mention that: "For syslog connections, multiple protocols support require multiple configuration blocks since only one protocol per block is allowed.". Does this place needs an update or we should separate these configurations? 

Andres Micalizzi

unread,
Dec 1, 2022, 7:26:14 AM12/1/22
to Wazuh mailing list
Hi Robert.
That is correct, I seem to have missed that note. For secure communication they are separated by comma, in case of syslog, you will need two remote blocks, each with one protocol.

Robert A

unread,
Dec 1, 2022, 7:31:06 AM12/1/22
to Wazuh mailing list
All clear now, thanks for your time & help!
Cheers :) 

Reply all
Reply to author
Forward
0 new messages