Build a syslog collector server

[Tuaans Anh]

Hi,

I want to build a syslog collector to receive the logs from agents, after that the collector will send all the logs to the manager.

How can I do that? Both windows and linux?

Thanks!

[Abdullah Al Rafi Fahim]

Hello Tuaans,

Wazuh agents can run on a wide range of operative systems, but when it is not possible due to software incompatibilities or business restrictions, you can forward syslog events to your environment. This is a common use case for network devices such as routers or firewalls. Here is the official documentation on how you can build a syslog server to collect logs from different devices/sources:

• Rsyslog on Linux
• Logstash on Windows

However, wazuh-agent service/software is not capable of forwarding logs to sources other than wazuh-manager in general. If you can not establish a direct communication between your device and wazuh-manager, you can use any other syslog forwarding tool to send the logs to the syslog server and forward them to wazuh-manager from there. However, this will not allow you to have many capabilities like individual agent status monitoring, agent buffer, syscollector, vulnerability detection etc. that direct agent-manager communication can have.

I hope it helps. Please let us know if you have any further query here.

[Tuaans Anh]

Hi  Abdullah,

I have read the documentation above, but I'm not sure that is exactly what I want.

I created a diagram to describe my issues, please see the picture and let me know.

Note that all clients are installed wazuh-agent and also log collectors

Thanks

[Abdullah Al Rafi Fahim]

Hello Tuaans,

The documentation are describing how you can configure the syslog collectors to receive the logs from remote sources using rsyslog/logstash and send them to the manager using wazuh-agent. However, the first part of your diagram needs a different approach as wazuh-agent can only enroll and send logs to wazuh-manager's analysis engine and it is not allowed to send logs using wazuh-agent to any other destination. 

Therefore, you may use any remote log forwarding tool to forward the logs from your endpoints to the syslog collector and then use wazuh-agent there to send the logs to wazuh-manager. Bear in mind, without direct communication between the endpoints (as wazuh-agent) and wazuh-manager, we can not have the capabilities like:  individual agent status monitoring, agent buffer, syscollector, vulnerability detection etc. Therefore, it is always recommended to use wazuh-agent in the endpoints where you can install this and establish a direct communication (or through load-balancer) to ensure maximum capabilities and only use syslog collector in case of network devices where you can not deploy wazuh-agent.

[Tuaans Anh]

Hi Abdullah,

You means above that it's impossible. I have read around the documentation and find the way to build the multi-node, and I understand that I can build two nodes instead of two log collectors. Is it possible?

But I don't understand how the multi-node architecture. I'm understanding that for each node, I need a physical server and I will install indexer and manager on that, right?

[Abdullah Al Rafi Fahim]

Hello Tuaans,

May I know what exactly you want to achieve by sending the wazuh-agent logs to two different destinations? It would be easier for me to help you with the better and feasible solution for your expected scenario if I can understand this properly.

[Tuaans Anh]

Hi Abdullah,

You can imagine like below:

I have a system which includes many computers. I will install wazuh-agent on each computer to send log to the wazuh-manager. 

But my wazuh-manager is in another environment (e.g. cloud) and my boss want to build 2 log collectors. They will do the job of receiving logs from agents and then sending them to wazuh-manager

You can understand they are centralized logging also.

I'm building both of them on Ubuntu server 22.04

And my problem is that server cannot receive logs from agents.

Please let me know if u stuck somewhere.

[Abdullah Al Rafi Fahim]

Hello Tuaans,

Sorry for the late response!

Based on the scenario you discussed, our recommendation would be to use a local Load Balancer / Proxy server with internet access to receive the wazuh-agent streams at port 1514 and 1515 and forward them to the cloud manager. It will help you to establish the communication between you local endpoints and cloud manager without hampering any of the wazuh-agent capabilities. You can review this documentation to understand how you can use a load balancer between the agent and manager: NGINX Load balancer for a Wazuh cluster

Using a logcollector server will not be a feasible approach as the wazuh-agent is designed to send the logs to wazuh-manager's analysis engine and these logs can not be received and stored as remote syslog in a logcollector. Even if you send the logs with any other tool to the logcollector and forward them to Wazuh manager, these endpoints will not be wazuh-agent anymore and miss a lot of capabilities like:  individual agent status monitoring, agent buffer, syscollector, vulnerability detection etc.

I hope it helps. Please let us know if you have any further query here.