Configurar syslog

[sv1c0m]

Hola,

Me gustaría configurar el wazuh como syslog para recolectar logs de varios servidores. ¿Para realizar esto que pasos debo seguir? Tengo que configurar un servidor donde colectar todos estos logs de los servidores y después enviarlos a wazuh o lo puedo configurar directamente en wazuh?

¿Cúal es la mejor opción y como debería hacerlo?

Muchas gracias.

Un saludo.

[Alejandro Ruiz Becerra]

Buenos días. 

Gracias por usar Wazuh. Si no te importa, vamos a continua el hilo en inglés de forma que sea comprensible para el resto de la comunidad, y pueda ayudar a otros usuarios.

- - - - - 

I understand that you need to configure SYSLOG on several servers. To do this, you have 2 options:

1. Using syslog. Configure the Wazuh Agents to read the log file specified. Continue reading here: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#log-collection
2. using Rsysog. Configure the Wazuh Manager to listen on a port for a rsyslog connections: Continue reading here: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog

I hope this helps.

Don't hesitate to ask me any doubt or question you might have.

Regards,

Alex

[sv1c0m]

Hi,

Thank you for your help, I have configured the Wazuh Manager to listen on a port for rsyslog connections with UDP port. I checked the wazuh logs but it says that the remote Syslog is not configured.

I send you a picture to view the logs.

Thank you!

Regards.

[Alejandro Ruiz Becerra]

Hello again

For the look of the logs, I'd say that Rsyslog is not installed or configured properly on the servers.

Please double-check that Rsyslog is installed and configured on the monitored servers by following this blog post: https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/

The first step, which is to configure Wazuh, is already done, you'll need to move to the "Configure Rsyslog" step now.

Regards,

Alex

[sv1c0m]

Hello!

Thank you!! I had not installed the Rsyslog.

I have another query, where can I see the Syslog logs in the dashboard? In which tab?

Regards!

[Alejandro Ruiz Becerra]

Hello again!!

Glad it worked! Great news.

The syslogs themselves cannot be seen on the Dashboard, instead, the alerts triggered by these logs are shown.

As described on the blog post I share with you previously, Wazuh receive the remote logs and analyze them, generating alerts from them if any rule matches.

You can continue reading on https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#analysis for a wider explanation on how it works.

If you need or want to have the remote logs stored on your main Wazuh server, you'll need to configure Rsyslog differently,  by installing Rsyslog on the Wazuh server too and configuring it on the /etc/rsyslog.conf, and then configuring Wazuh to read from a local file.

For this task, use the following documentation:

• https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog
  
• https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
  

I hope it helps.

If you have any other doubt or issue, please let me know.

Regards,

Alex