Steps to add CISCO ISR 4331 Network Device into wazuh
329 views
Skip to first unread message
Sushant Pansare
Jan 2, 2025, 1:20:34 AM1/2/25
to Wazuh | Mailing List
Hello Team,
We have setup a test environment of Wazuh using OVA setup; our aim is to first confirm compatibility of this solution with our devices.
We have added 2 Windows servers and now want to add our Cisco ISR router to send logs to Wazuh.
PL provide detailed steps from start to end.
Message has been deleted
hasitha.u...@wazuh.com
Jan 2, 2025, 2:04:30 AM1/2/25
to Wazuh | Mailing List
Hi @Sushant,
Wazuh can receive logs from agentless devices by configuring syslog.
If you want to collect logs from first option, you can directly receive logs to Wazuh-manager.
First option:
Add the following configuration in between the <ossec_config> tags of the Wazuh server /var/ossec/etc/ossec.conf file to listen for syslog messages on TCP port 514:
Ref:https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
Once you configured the syslog on ossec.conf you can verify logs reaching manager, by enable the archive log.
For that you can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
And then check if you receive logs from Cisco ISR router.
cat /var/ossec/logs/archives/archives.json | grep -i -E "<part of your router log>"
If yes, then you need to create custom decoders and rules to extract and match your logs.
You can learn more about custom decoders and rules by following documents.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Second option:
You can install agent on endpoint and collect logs using rsyslog and specify the path in agent ossec.conf.
Agent install: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html
Rsyslog configuration: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
You have to modify the location and the log_format as your config. This configuration you need to add the monitored wazuh-agent's ossec.conf file.
nano /var/ossec/etc/ossec.conf
Then restart the agent
systemctl restart wazuh-agent
For more details you can reffer: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html#configuration-for-monitoring-log-files
Let me know if this helps.
Regards,
Hasitha Upekshitha
Wazuh can receive logs from agentless devices by configuring syslog.
Alternatively, you can install Wazuh agent for a Linux device and then you can config rsyslog over there and then you can collect logs from a log file.
If you want to collect logs from first option, you can directly receive logs to Wazuh-manager.
First option:
Add the following configuration in between the <ossec_config> tags of the Wazuh server /var/ossec/etc/ossec.conf file to listen for syslog messages on TCP port 514:
- <remote>
- <connection>syslog</connection>
- <port>514</port>
- <protocol>tcp</protocol>
- <allowed-ips>192.168.2.15/24</allowed-ips>
- <local_ip>192.168.2.10</local_ip>
- </remote>
Ref:https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
Once you configured the syslog on ossec.conf you can verify logs reaching manager, by enable the archive log.
For that you can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
- <ossec_config>
- <global>
- ----
- <logall>no</logall>
- <logall_json>yes</logall_json>
- -----
- </global>
- -----
- </ossec_config>
And then check if you receive logs from Cisco ISR router.
cat /var/ossec/logs/archives/archives.json | grep -i -E "<part of your router log>"
If yes, then you need to create custom decoders and rules to extract and match your logs.
You can learn more about custom decoders and rules by following documents.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Second option:
You can install agent on endpoint and collect logs using rsyslog and specify the path in agent ossec.conf.
Agent install: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html
Rsyslog configuration: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
You have to modify the location and the log_format as your config. This configuration you need to add the monitored wazuh-agent's ossec.conf file.
nano /var/ossec/etc/ossec.conf
- <localfile>
- <location>/<FILE_PATH>/file.log</location>
- <log_format>syslog</log_format>
- </localfile>
systemctl restart wazuh-agent
For more details you can reffer: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html#configuration-for-monitoring-log-files
Let me know if this helps.
Regards,
Hasitha Upekshitha
Reply all
Reply to author
Forward
0 new messages