Wazuh is refusing Rsyslog communication

Utkarsh Bhargava

unread,

Sep 29, 2022, 7:54:49 AM9/29/22

to 'Utkarsh Bhargava' via Wazuh mailing list

Hi Community,

Wazuh Manager is refusing Rsyslog connection. Following are the errors that I am facing from my Rsyslog :

Sep 29 10:53:12 ip-172-31-93-42 rsyslogd[14935]: cannot connect to 192.168.1.150:514: Connection refused [v8.2001.0 try https://www.rsyslog.com/e/2027 ]

Sep 29 10:53:12 ip-172-31-93-42 rsyslogd[14935]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension. [v>

Sep 29 10:53:12 ip-172-31-93-42 rsyslogd[14935]: cannot connect to 192.168.1.150:514: Connection refused [v8.2001.0 try https://www.rsyslog.com/e/2027 ]

Sep 29 10:53:12 ip-172-31-93-42 rsyslogd[14935]: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), next retry is Thu Sep 29 10:53:42 2022, retry nbr 0. There should be messages before t>

Sep 29 10:59:10 ip-172-31-93-42 rsyslogd[14935]: cannot connect to 192.168.1.150:514: Connection refused [v8.2001.0 try https://www.rsyslog.com/e/2027 ]

Here's my Wazuh syslog configuration :

<connection>syslog</connection>

<allowed-ips>192.168.1.141/32</allowed-ips>

<local_ip>127.0.0.1</local_ip>

</remote>

I am unable to understand why Wazuh is refusing the communication, I have disabled firewall on both the machines.

still something is blocking the communication.

Jorge Eduardo Molas

unread,

Sep 29, 2022, 8:25:08 AM9/29/22

to Wazuh mailing list

Hi Utkarsh! Thanks for using Wazuh. I'm working on your question. I'll get back as soon as possible.

Utkarsh Bhargava

unread,

Sep 29, 2022, 8:37:32 AM9/29/22

to Jorge Eduardo Molas, Wazuh mailing list

Thank you so much,

I am waiting for your response.

On Sep 29 2022, at 5:55 pm, Jorge Eduardo Molas <jorge...@wazuh.com> wrote:

Hi Utkarsh! Thanks for using Wazuh. I'm working on your question. I'll get back as soon as possible.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0f17abeb-9ef0-436e-be4c-f52d71f99b8an%40googlegroups.com.

Utkarsh Bhargava

unread,

Sep 29, 2022, 8:54:43 AM9/29/22

to Jorge Eduardo Molas, Wazuh mailing list

I am using the latest version of wazuh that is Wazuh 4.3.8

I am trying to send the attached json log file via syslog but as you know it's not working.

I also try to configure the same logfile on wazuh manager but manager is not processing these logs.

I have already created the decoders and alert rules for the same logs also enabled log all option still no luck.

it's been a week I am trying to deal with this problem but no luck till now.

Hope I am gonna receive some help from the community.

regards

vcn_flow_logs.zip

Jorge Eduardo Molas

unread,

Sep 29, 2022, 9:10:51 AM9/29/22

to Wazuh mailing list

Sorry for the delay. To start to debug your problem. Did you check if the port (514) is opened on Manager? If not, try to run the following command ss -tulnp | grep "rsyslog"

Utkarsh Bhargava

unread,

Sep 30, 2022, 2:17:30 AM9/30/22

to Jorge Eduardo Molas, Wazuh mailing list

Hi Jorge,

I just checked Port 514 is not open on Wazuh Manager.

Although I have configured it properly inside ossec.conf file.

Please let me know how to open port 514 for the wazuh manager.

regards

Sent from Mailspring, the best free email app for work

On Sep 29 2022, at 6:40 pm, Jorge Eduardo Molas <jorge...@wazuh.com> wrote:

Sorry for the delay. To start to debug your problem. Did you check if the port (514) is opened on Manager? If not, try to run the following command ss -tulnp | grep "rsyslog"

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/680abaf7-57e7-456e-9e76-f325e5f82ca2n%40googlegroups.com.

Jorge Eduardo Molas

unread,

Sep 30, 2022, 4:39:17 AM9/30/22

to Wazuh mailing list

Hi!

I suggest you check these steps.
1. It's already rsyslog installed on Manager?

Try to execute systemctl status rsyslog.service

2. If rsyslog is installed. Is configured to receive logs from your network?

Check /etc/rsyslog.conf on the Wazuh manager machine:

# --> Starts the TCP server <---

$ModLoad imtcp
$InputTCPServerRun 514

Regards!

Utkarsh Bhargava

unread,

Sep 30, 2022, 7:16:40 AM9/30/22

to Jorge Eduardo Molas, Wazuh mailing list

I checked Rsyslog is there and the following configuration is also present inside the rsyslog.conf file :

$ModLoad imtcp

$InputTCPServerRun 514

I rechecked Wazuh Rsyslog status by running the command : ss -tulnp | grep "rsyslog"

but it was blank.

On Sep 30 2022, at 2:09 pm, Jorge Eduardo Molas <jorge...@wazuh.com> wrote:

Hi!
I suggest you check these steps.
1. It's already rsyslog installed on Manager?
Try to execute systemctl status rsyslog.service
2. If rsyslog is installed. Is configured to receive logs from your network?
Check /etc/rsyslog.conf on the Wazuh manager machine:
# --> Starts the TCP server <---
$ModLoad imtcp
$InputTCPServerRun 514
Regards!

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f62777fe-f73c-4a3c-a231-da93cd8d8b62n%40googlegroups.com.

Reply all

Reply to author

Forward