syslog initial setup
241 views
Skip to first unread message
Fuldatal IT
Nov 7, 2023, 7:37:25 AM11/7/23
to Wazuh | Mailing List
Hello all, new here and trying to get a syslog sent from sophos firewall to wazuh.
I have setup sophos accordingly to. Now i need the wazuh side. I have configured ossec.conf with a <remote> for syslog.
Am i right in thinking i still need an agent setup to which these events are pinned to?
I just don´t see how i can actually find the syslog events from the sophos in the wazuh dashboard.
Any pointers in the right direction would be a great help!
I have setup sophos accordingly to. Now i need the wazuh side. I have configured ossec.conf with a <remote> for syslog.
Am i right in thinking i still need an agent setup to which these events are pinned to?
I just don´t see how i can actually find the syslog events from the sophos in the wazuh dashboard.
Any pointers in the right direction would be a great help!
Regards
Chris
Nicolas Alejandro Bertoldo
Nov 7, 2023, 8:11:51 AM11/7/23
to Wazuh | Mailing List
Hi Chris,
I hope you are doing fine!
You do not need to install Wazuh agent. The Wazuh server can collect logs via syslog from endpoints such as firewalls, switches, routers, and other devices that don’t support the installation of Wazuh agents.
In the following link you will find information on how to setup it: Configuring syslog on the Wazuh server.
I hope you are doing fine!
You do not need to install Wazuh agent. The Wazuh server can collect logs via syslog from endpoints such as firewalls, switches, routers, and other devices that don’t support the installation of Wazuh agents.
In the following link you will find information on how to setup it: Configuring syslog on the Wazuh server.
I hope this helps. Let me know if you have any further question.
Regards
Regards
Fuldatal IT
Nov 8, 2023, 3:00:21 AM11/8/23
to Wazuh | Mailing List
Hello Nicolas,
thanks for the reply. I had found that link and used it to configure the wazuh side.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>internal ip of the sophos firewall</allowed-ips>
</remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>internal ip of the sophos firewall</allowed-ips>
</remote>
since syslog is per standard udp and sophos does not allow to choose tcp, i set it for udp on wazuh.
On the sophos side, i have configured the syslog server to be the wazuh.
Now how can i actually see, if wazuh is getting events from the sophos and if these are decoded for sophos XGS?
regards
Chris
Nicolas Alejandro Bertoldo
Nov 8, 2023, 10:21:31 AM11/8/23
to Wazuh | Mailing List
Hi Chris,
You could check if the events are reaching your manager by enabling logall_json. This will make your manager to store a copy of every event it receives into its file /var/ossec/logs/archives/archives.json.
Restart the manager , and then search for your events there:
cat /var/ossec/logs/archives/archives.log | grep "IP_of_your_device"
Please let me know how it went.
Regards
Please let me know how it went.
Regards
Fuldatal IT
Nov 9, 2023, 12:07:22 AM11/9/23
to Wazuh | Mailing List
Hi Nicolas,
i have it now working that in archives.log i see the incomming Sophos syslog entries.
Now i will start rapping my head around, how to get the events properly decoded and visualised 😊
Thanks again for the help!
regards
Chris
Reply all
Reply to author
Forward
0 new messages