Dropping Syslog Events on Port 514 Before Reaching Wazuh Manager
36 views
Skip to first unread message
Muhammad Farash P
May 14, 2025, 1:16:37 AM5/14/25
to Wazuh | Mailing List
Hi everyone,
I’m trying to drop certain syslog events that are being sent to port 514 on my Wazuh manager, based on specific patterns or regex matches. I’ve looked through the Wazuh documentation but haven’t found any options within the Wazuh remote module to filter or discard events at this stage.
My goal is to drop these events before they reach the Wazuh manager (not at the filebeat or logstash level).
Thanks in advance for your support.
Thanks!
hasitha.u...@wazuh.com
May 14, 2025, 2:03:57 AM5/14/25
to Wazuh | Mailing List
Hi Muhammad,
Yes, you are correct, currently we do not have filtering options available in the remote code block.
However, I can suggest you alternative way. You can forward those syslogs to one of your endpoints where the Wazuh agent is installed, and then you can configure filtering options in the agent's ossec.conf file, log collection config.
Here are the steps.
First, forward the log source logs using syslog to one of the Linux machine.(You can use this machine as a log collector machine.)
Then, configure the rsyslog to listen and write logs to a specific file.
Ref: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
After that, you need to install the Wazuh agent if you have not installed the Wazuh agent.
Ref: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-linux.html
Then you can configure log collection in the Wazuh agent's ossec.conf file.
Ref: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html
Then you can use ignore and restrict options in the log collection config to avoid unnecessary logs.
Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#ignore
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#restrict
Let me know the update on this.
Regards,
Hasitha Upekshitha
Yes, you are correct, currently we do not have filtering options available in the remote code block.
However, I can suggest you alternative way. You can forward those syslogs to one of your endpoints where the Wazuh agent is installed, and then you can configure filtering options in the agent's ossec.conf file, log collection config.
Here are the steps.
First, forward the log source logs using syslog to one of the Linux machine.(You can use this machine as a log collector machine.)
Then, configure the rsyslog to listen and write logs to a specific file.
Ref: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
After that, you need to install the Wazuh agent if you have not installed the Wazuh agent.
Ref: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-linux.html
Then you can configure log collection in the Wazuh agent's ossec.conf file.
Ref: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html
Then you can use ignore and restrict options in the log collection config to avoid unnecessary logs.
Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#ignore
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#restrict
Let me know the update on this.
Regards,
Hasitha Upekshitha
Sunil Sonawane
Jun 3, 2025, 6:45:21 AM6/3/25
to Wazuh | Mailing List
Hi
I have no agent deployed, but my firewall events are directly coming into Wazuh server and I can able to see in wazuh dashboard, based on below configuration in ossec.conf file
<remote>
<connection>syslog</connection>
<port>3514</port>
<protocol>udp</protocol>
<allowed-ips>192.168.0.110/24</allowed-ips>
<local_ip>192.168.0.83</local_ip>
</remote>
<connection>syslog</connection>
<port>3514</port>
<protocol>udp</protocol>
<allowed-ips>192.168.0.110/24</allowed-ips>
<local_ip>192.168.0.83</local_ip>
</remote>
Can you please help me, how to add the filter to drop the events
Example : I want to drop the events where having the key word - level="notice"
date=2025-06-03 time=11:54:33 devname="DU-PAR-FW-01" devid="FGT40FTK2109C741" eventtime=1748937274421315880 tz="+0400" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=118.193.56.149 srcport=47690 srcintf="wan" srcintfrole="wan" dstip=5.195.104.38 dstport=3103 dstintf="root" dstintfrole="undefined" srccountry="Thailand" dstcountry="United Arab Emirates" sessionid=1187002 proto=6 action="deny" policyid=0 policytype="local-in-policy" service="tcp/3103" trandisp="noop" app="tcp/3103" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low
hasitha.u...@wazuh.com
Jun 4, 2025, 8:11:09 AM6/4/25
to Wazuh | Mailing List
Hi
Sunil,
You cannot add filter in remote code block to drop events,
However I tested this log and it will not show in dashboard due to it's default rule level is 1. By default alerts receive level 3 or above.
Ref: https://documentation.wazuh.com/current/user-manual/manager/alert-management.html#alert-threshold
I believe you expecting to drop logs from receiving point, correct me if I am wrong.
If that the case you cannot do it in remote code block, instead you can follow this way.
Alternatively you need to collect those syslog from one of you Linux agent using a rsyslog, then write them into a file, then you can configure log collection in wazuh agent ossec.conf file. from there you can use the query, ignore, and restrict options in the localfile configuration to control which logs get forwarded.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#ignore
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#restrict
Agent install: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html
Rsyslog configuration: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
You have to modify the location and the log_format as your config. this configuration you need to add the monitored wazuh-agent's ossec.conf
For example:
nano /var/ossec/etc/ossec.conf
<localfile>
<location>/<FILE_PATH>/file.log</location>
<log_format>syslog</log_format>
<restrict type="PCRE2">username_\d?</restrict>
</localfile>
Then restart the Wazuh agent to apply changes.
systemctl restart wazuh-agent
If you need further assistance on this let me know.
Regards,
Hasitha Upekshitha
You cannot add filter in remote code block to drop events,
However I tested this log and it will not show in dashboard due to it's default rule level is 1. By default alerts receive level 3 or above.
Ref: https://documentation.wazuh.com/current/user-manual/manager/alert-management.html#alert-threshold
I believe you expecting to drop logs from receiving point, correct me if I am wrong.
If that the case you cannot do it in remote code block, instead you can follow this way.
Alternatively you need to collect those syslog from one of you Linux agent using a rsyslog, then write them into a file, then you can configure log collection in wazuh agent ossec.conf file. from there you can use the query, ignore, and restrict options in the localfile configuration to control which logs get forwarded.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#ignore
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#restrict
Agent install: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html
Rsyslog configuration: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
You have to modify the location and the log_format as your config. this configuration you need to add the monitored wazuh-agent's ossec.conf
For example:
nano /var/ossec/etc/ossec.conf
<localfile>
<location>/<FILE_PATH>/file.log</location>
<log_format>syslog</log_format>
<restrict type="PCRE2">username_\d?</restrict>
</localfile>
Then restart the Wazuh agent to apply changes.
systemctl restart wazuh-agent
If you need further assistance on this let me know.
Regards,
Hasitha Upekshitha
Reply all
Reply to author
Forward
0 new messages