Send syslog to Wazuh

117 views
Skip to first unread message

Trường An Tô Nguyễn

unread,
Sep 8, 2025, 10:11:22 AM9/8/25
to Wazuh | Mailing List


Hi all,

I've recently set up Wazuh using Docker containers. I also have another application, Claroty CTD, which is configured to send Syslog messages to a designated Syslog server.

In the Wazuh configuration file (/var/ossec/etc/ossec.conf), I enabled the following settings:

Screenshot 2025-09-08 at 15.34.52.png

And for remote Syslog input, I added:

Screenshot 2025-09-08 at 15.34.59.png

Using tcpdump, I can confirm that Syslog messages are arriving at the machine. However, I don't see any of these logs reflected in Wazuh. I've checked the following log files:

  • /var/ossec/logs/archives/archives.log
  • /var/ossec/logs/archives/archives.json
  • /var/ossec/logs/alerts/alerts.log
  • /var/ossec/logs/alerts/alerts.json
  • /var/ossec/logs/ossec.log

Despite this, the logs from Claroty CTD are not appearing.

Any ideas or suggestions on what might be missing or misconfigured?

Thanks in advance!


Bony V John

unread,
Sep 11, 2025, 2:01:42 AM9/11/25
to Wazuh | Mailing List
Hi,

Apologies for the late response, it seems we missed your query. I’m currently working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
Sep 11, 2025, 3:22:45 AM9/11/25
to Wazuh | Mailing List
Hi,

Based on your input, I assume that the logs from the log source are receiving to the Wazuh manager container.
For troubleshooting this issue, you can follow the below troubleshooting methods:

List the running containers:

docker ps


First make sure that all the services are running fine on the Wazuh manager container:
docker exec -it <container-name> /var/ossec/bin/wazuh-control status

Check the Wazuh manager ossec.log file:
docker exec -it  <container-name>  tail /var/ossec/logs/ossec.log | grep -iE "error|warn|crit|fatal|remote"

Make sure that you have configured to forward the logs in UDP protocol on the log source. Also, confirm that you have configured the <allowed-ips> tag with the correct IP address where sending the logs to Wazuh manager.
You can refer Wazuh syslog configuration documentation for more details about this.

Check the Wazuh manager service is listening on port 514:

docker exec -it  <container-name>   ss -lun | grep ':514'

If there is no output, it means that there are no services listening on port 514.

If the configurations look fine and port 514 is listening on Wazuh manager, then tail Wazuh manager archives.json file for checking the logs:

docker exec -it  <container-name>  tail /var/ossec/logs/archives/archives.json | grep -iE "<string>"

Replace the <container-name> with Wazuh manager container name and the <string> with any unique keyword in the log.
Make sure the <logall_json> is set as yes on the Wazuh manager ossec.conf file before checking the log.
You can refer Wazuh documentation for enabling archives log.

If you need further assistance, please share the full output of the above commands with us. Also, please share the tcpdump command output that you have run.

Reply all
Reply to author
Forward
0 new messages