Monitoring Firewall with Wazuh
825 views
Skip to first unread message
Jonathan G.
Jan 3, 2023, 8:41:18 AM1/3/23
to Wazuh mailing list
Hello and happy new year !
I'm trying to do firewall monitoring with Wazuh, but Wazuh doesn't receive the syslog...
Someone can help me ?
Here the configuration in ossec.conf :
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
[....]
</global>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>FIREWALL_IP</allowed-ips>
<local_ip>WAZUH_IP</local_ip>
</remote>
[....]
</ossec_config>
This command give no result: tail -f /var/ossec/logs/archives/archives.json | grep FIREWALL_IP
I'm trying to do firewall monitoring with Wazuh, but Wazuh doesn't receive the syslog...
Someone can help me ?
Here the configuration in ossec.conf :
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
[....]
</global>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>FIREWALL_IP</allowed-ips>
<local_ip>WAZUH_IP</local_ip>
</remote>
[....]
</ossec_config>
This command give no result: tail -f /var/ossec/logs/archives/archives.json | grep FIREWALL_IP
Here the result of the command : netstat -tulnp | grep 514
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN 123560/wazuh-remote
udp 0 0 WAZUH_IP:514 0.0.0.0:* 123561/wazuh-remote
Here the result of the command : cat /var/ossec/logs/ossec.log | grep 514
2023/01/03 10:40:12 wazuh-remoted: INFO: Started (pid: 121352). Listening on port 1514/TCP (secure).
2023/01/03 10:40:12 wazuh-remoted: INFO: Started (pid: 121353). Listening on port 514/UDP (syslog).
Here the result of the command : tcpdump -i any port 514 -AA
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
0 packets captured
1 packet received by filter
0 packets dropped by kernel
I think the problem is that wazuh-remote does not listen to the port, but I don't know how to switch it to "listen"
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN 123560/wazuh-remote
udp 0 0 WAZUH_IP:514 0.0.0.0:* 123561/wazuh-remote
Here the result of the command : cat /var/ossec/logs/ossec.log | grep 514
2023/01/03 10:40:12 wazuh-remoted: INFO: Started (pid: 121352). Listening on port 1514/TCP (secure).
2023/01/03 10:40:12 wazuh-remoted: INFO: Started (pid: 121353). Listening on port 514/UDP (syslog).
Here the result of the command : tcpdump -i any port 514 -AA
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
0 packets captured
1 packet received by filter
0 packets dropped by kernel
I think the problem is that wazuh-remote does not listen to the port, but I don't know how to switch it to "listen"
If someone can help me, It would be greatly appreciated !
Jeremias Ignacio Posse
Jan 3, 2023, 10:46:17 AM1/3/23
to Wazuh mailing list
Hello Jonathan, happy new year, and thanks for using Wazuh!.
Could you give me more information about the brand of firewall you are trying to use? Here you can find a guide of what you're already configured, we would just check that your firewall is using the same port and configuration as wazuh-remote
Greetings.
Could you give me more information about the brand of firewall you are trying to use? Here you can find a guide of what you're already configured, we would just check that your firewall is using the same port and configuration as wazuh-remote
Greetings.
Jonathan G.
Jan 11, 2023, 7:59:08 AM1/11/23
to Wazuh mailing list
Hello Jeremias,
Its a Stormshield SN310 and Stormshield SN-M-720.
Yes i have configured my firewall send syslog to port 514 (udp)
Sorry for late reply.
Jonathan G.
Jan 12, 2023, 2:37:24 AM1/12/23
to Wazuh mailing list
Hello,
i found the problem, it was on the firewall. The "syslog sending profile" has an ID, It was not the right ID that was active.
Now, everything is ok and i have to work on the decoder and rules.
Thanks !
Reply all
Reply to author
Forward
0 new messages