Wazuh Cisco logs and Archives question

[Max]

Hello all,

I've configured my Wazuh Server/Manager to receive syslog log files from various Cisco Devices.

My configuration would be:
<remote> 
<connection>syslog</connection> 
<port>514</port> 
<protocol>tcp</protocol> 

<allowed-ips>CISCO Device 1</allowed-ips> 

<allowed-ips> CISCO Device 2</allowed-ips> 

<allowed-ips> CISCO Device 3</allowed-ips> 

<local_ip>Wazuh Manager</local_ip> 

</remote>

and I've also enabled the configuration to send logs to an external syslog
<ossec_config>

  <syslog_output> 

<level>3</level>

 <server>external syslog</server> 

</syslog_output>

 </ossec_config>

Now my problems are:

1. I am not receiving any ssh logs within my archives or alerts from these CISCO devices within the Wazuh manager, any idea as to why? I already have the ports configured and firewall all set and the Cisco devices should be able to send their logs.
   
   
2. I also would want to send the other logs and jsons generated by wazuh (archives, metrics, etc.) with the alerts to the external syslog server, would that be possible?
   
   
3. In a wazuh 3 node cluster, how do I tackle to make sure that these logs will always be sent to oneof the nodes so that they wont be lost? to have redundancy and high availability?

[Bony V John]

Hi,

1. Cisco Logs Not Received on Wazuh Manager

I hope you are receiving other logs from the Cisco device on the Wazuh manager. Based on your syslog configuration, it appears to be correct. Please ensure that the same protocol (UDP/TCP) is configured on the Cisco device.

• If you're receiving other logs except SSH logs, the issue may be with the SSH log forwarding configuration on the Cisco device. Verify that SSH-related logs are correctly configured to be sent to the Wazuh manager. You can refer to the official Cisco documentation for guidance on SSH log forwarding.

• If no logs at all are being received from the Cisco device, run the following command on the Wazuh manager to check for incoming traffic:

tcpdump -i any src host <cisco-device-ip> and dst port 514

Replace <cisco-device-ip> with the actual IP address of your Cisco device. This will help confirm whether logs are reaching the Wazuh manager.

Also, make sure:

• Port 514 is open on the Wazuh manager.

• There is no firewall or network-level block between the devices.

2. Forwarding Alerts to a Syslog Listener

Yes, it is possible to forward alerts from the Wazuh manager to a syslog listener server. Wazuh supports syslog output for sending alerts to external syslog servers.

Important Note:
You can only forward alerts (i.e., events that match a rule with level >= 3) via syslog. The raw logs stored in archives.log or archives.json cannot be forwarded via syslog directly.

Based on your shared syslog_output configuration, Wazuh will forward only alerts with level 3 or higher to the specified syslog server. You can refer to the Wazuh syslog integration documentation for more details.

• If you need to forward all ingested logs, including archived ones, consider integrating Logstash with Wazuh. You can refer to the Wazuh + Elastic Stack integration documentation for more information on using Logstash to forward logs.

3. Confirming HA

In Wazuh, the only direct way to confirm whether an event was analyzed and triggered an alert is to search for it in the Wazuh dashboard.

• Alerts will only appear in the dashboard if there is a rule defined with level 3 or above that matches the event.

• If there is no decoder or rule for the event, it will not appear in the alerts panel. In this case, check the event in the archives.json file to confirm whether it was ingested by the Wazuh manager.

If you're running a multi-node Wazuh manager setup (e.g., 3 nodes), ensure you check the archives.json file on all nodes to confirm ingestion.

You can refer to the Wazuh documentation on archives for more information on accessing and interpreting archived logs.

Also, I recommend you to refer Wazuh server cluster documentation for knowing more about high availability.