Wazuh. Architecture advice
556 views
Skip to first unread message
MajorFudge
May 19, 2023, 4:41:54 AM5/19/23
to Wazuh mailing list
Hello team!
I'm new to Wazuh product and I try to build a new instance.
My main goals are:
1. Receive logs and event from agents (working fine)
2. Receive a syslog flow from variate of equipment (firewall, esxi, v cloud, etc)
3. Parse these logs
4. Inject some data to the logs, like IoC, TI Feeds and etc
What I have:
1. Wazuh server cluster (1 master + 2 workers)
2. Wazuh Indexer based on Opensearch (2 nodes)
3. Wazuh Dashboard
4. Load balancer infron of Wazuh server
5. Fluetnd server to receive syslog, parse it and enreach with data.
Here is my diagram.
Questions:
1. Is this diagram correct? Does it make sense?
2. What is recommended tools to use as a syslog server/log normalizer/data injest?
I tried with rsyslog, but I think it was build long time ago with different purpose and using mmnormalizer is not a good idea in 2023.
Now I'm trying to work with Fluentd. I'm able to receive data, create different labels and tags to work with different syslog flows. But I'm stuck with forward these logs to Wazuh.
In this case, I don't quite understand where to send logs after parsing. Wazuh server or Wazuh Indexer? If I choose Wazuh Indexer then what output plugin should I use?
Farouk Musa
May 19, 2023, 11:36:55 AM5/19/23
to Wazuh mailing list
Hi there!
Thank you for reaching out to us.
Based on your diagram, it looks like you have a good setup for receiving logs and events from various log sources. As for your syslog flow, Wazuh supports a native Fluentd integration, but this lets you export logs from the Wazuh server to Fluentd however the reverse communication is not yet natively supported. There is an impact on the out-of-the-box rules and decoders Wazuh has as you plan to modify the logs being received from fluend, they may not match the decoders. The Wazuh indexer would receive the logs and forward to the Wazuh manager.
As for where to send the parsed logs, it depends on your specific use case. You can use Wazuh with elasticsearch https://documentation.wazuh.com/current/deployment-options/elastic-stack/index.html and use the fluentd elastcisearch output plugin (fluent-plugin-elasticsearch) to forward your logs to Wazuh. You can also use the out_file output plugin to write the logs to a file, a Wazuh agent can be configured to read the file and forward to the Wazuh server via syslog https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#log-collection:~:text=the%20Wazuh%20environment.-,Log%20collection,-Permalink%20to%20this another option would be the out_s3 output plugin where fleuntd ships to s3 and Wazuh can read the logs from there https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-s3.html There are other unoffcial fluentd syslog plugins you can use to send syslog to the Wauzuh manager.
I hope this helps.
Thank you for reaching out to us.
Based on your diagram, it looks like you have a good setup for receiving logs and events from various log sources. As for your syslog flow, Wazuh supports a native Fluentd integration, but this lets you export logs from the Wazuh server to Fluentd however the reverse communication is not yet natively supported. There is an impact on the out-of-the-box rules and decoders Wazuh has as you plan to modify the logs being received from fluend, they may not match the decoders. The Wazuh indexer would receive the logs and forward to the Wazuh manager.
As for where to send the parsed logs, it depends on your specific use case. You can use Wazuh with elasticsearch https://documentation.wazuh.com/current/deployment-options/elastic-stack/index.html and use the fluentd elastcisearch output plugin (fluent-plugin-elasticsearch) to forward your logs to Wazuh. You can also use the out_file output plugin to write the logs to a file, a Wazuh agent can be configured to read the file and forward to the Wazuh server via syslog https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#log-collection:~:text=the%20Wazuh%20environment.-,Log%20collection,-Permalink%20to%20this another option would be the out_s3 output plugin where fleuntd ships to s3 and Wazuh can read the logs from there https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-s3.html There are other unoffcial fluentd syslog plugins you can use to send syslog to the Wauzuh manager.
I hope this helps.
Best regards.
Reply all
Reply to author
Forward
0 new messages