Eset Cloud Integration Wazuh

646 views
Skip to first unread message

TheLotus 24

unread,
Jun 26, 2024, 10:37:21 AM6/26/24
to Wazuh | Mailing List
I am making the configuration so that the eset Cloud syslog goes to my Wazuh, how do I so that Wazuh can receive those logs?

TheLotus 24

unread,
Jun 26, 2024, 11:09:13 AM6/26/24
to Wazuh | Mailing List
Captura de pantalla 2024-06-26 100725.png

Cedrick Foko

unread,
Jul 1, 2024, 6:17:43 AM7/1/24
to Wazuh | Mailing List
Hello,

You can use Rsyslog for this purpose. You should follow the process below:

  1. Deploy a Linux endpoint and deploy wazuh-agent on it.

  2. Install rsyslog on your agent:
    yum install rsyslog for RHEL.
    apt-get install rsyslog for Ubuntu.

  3. Configure ESET to send logs to Wazuh agent via Rsyslog

  4. Configure rsyslog to forward logs received from ESET to a specific log file.
    Edit the /etc/rsyslog.conf file and add TCP or UDP setting:
    -For TCP:
    $ModLoad imtcp
    $InputTCPServerRun <PORT>

    -For UDP
    $ModLoad imudp
    $UDPServerRun <PORT>

    Then, add the following lines to forward events to a file:
    # Storing Messages from a Remote System into a specific File
    if $fromhost-ip startswith 'xxx.xxx.xxx.' then /var/log/<file_name.log>
    & ~

    Replace the xxx.xxx.xxx by the first three digits of the IP address of the network where ESET is deployed.

  5. Configure the agent to read the syslog output file by editing /var/ossec/etc/ossec.conf:
    <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/<file_name.log></location>
    </localfile>

  6. Restart the rsyslog and wazuh-agent service:
    systemctl restart rsyslog
    systemctl restart wazuh-agent

Your agent will now receive the logs from ESET and send them to Wazuh manager via the logcollector.

Reference: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux

You may need to create custom decoders and rules for your logs. You can find how to create custom rules and decoders in our documentation: 
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

I hope you find this helpful. 
Please don't hesitate to ask may you need further assistance here.


Message has been deleted

TheLotus 24

unread,
Jul 4, 2024, 6:11:42 PM7/4/24
to Wazuh | Mailing List
But I am using a cloud service, I will not be able to get the 3 digits of the IP.

Cedrick Foko

unread,
Jul 8, 2024, 11:19:37 AM7/8/24
to Wazuh | Mailing List
Hello,

Once you have configured ESET Cloud to send logs to your syslog server, you can use tcpdump to visualize the network traffic entering your syslog server. 
You may be able to identify the source IP/domain name of the logs. You can then use that information in the syslog configuration.

You can also configure your manager to receive the logs (without any intermediary agent) as explained in our documentation:  Configuring syslog on the Wazuh server - Log data collection but you will still need to set the source IP/domain name of the logs in <allowed-ips> tag.

I hope this helps.
Please don't hesitate to ask if you need any further help here.

TheLotus 24

unread,
Jul 8, 2024, 4:30:15 PM7/8/24
to Wazuh | Mailing List
Hello, thank you for responding, I just added the ips that Eset gives according to the documentation.

But I don't see the logs that will be generated in eset.

Captura de pantalla 2024-07-08 152834.png

Cedrick Foko

unread,
Jul 11, 2024, 7:17:26 AM7/11/24
to Wazuh | Mailing List

Hello,

After setting the configuration from both sides, you need to:
  1. Check the network packets coming into your manager to make sure the packets are being received from the Eset Cloud. You can use tcpdump for that.
  2. If the packets sent from Eset Cloud are recieved by the manager, enable logall_json option in manager's configuration and restart the wazuh-manager service to see the log format in /var/ossec/logs/archives/archives.json file.
  3. Create custom decoders and custom rules for your log.

If the packets are not received by the manager, you may need to check your configurations again:
  • According to Eset documentation, the transport is secured with TLS protocol. In that case, the value for <connection> tag in wazuh configuration should be secure as explained here
  • The syslog server IP address configured in ESET should be a globally routable IP address. You should ensure that you use a public IP address for your manager and that it is reachable on the configured port.
Once you are able to see the logs in archives.json, you can share the logs here and I'll help you with the decoders and rules.

Looking forward to your comments.
Reply all
Reply to author
Forward
0 new messages