How to see syslog devices on wazuh server.

[Huy Nguyễn]

How to see syslog devices on wazuh server.  same agent on wazuh server.

[Viktor Nguyen]

As I see, 

currently, there is no way to see each syslog device as an agent in wazuh. 

All you can do is send all syslog to a center log service and use wazuh-agent on this service to read the log and send to wazuh-server. So, in wazuh server, you can see only 1 agent. 

[Sandra Ocando]

Hello,

To see syslog devices on Wazuh you need to configure your device to send logs via syslog and Wazuh to receive them via Remote syslog, here you can find more information on how to configure it: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog. Remember to restart the Wazuh service after changing the configuration so changes can take effect.

To check if you're receiving the logs, you may enable the logall option on /var/ossec/etc/ossec.conf and look for the logs on /var/ossec/logs/archives/archives.log. For more information, see https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall. With the logall option enabled, Wazuh stores all received events even if they do not trip a rule, so remember to disable it after you run your tests to avoid excessive disk storage consumption.

Once Wazuh receives the logs, it processes them through decoders and rules.  The Wazuh ruleset includes rules for many popular devices, you can see it here: https://github.com/wazuh/wazuh/tree/master/ruleset.  If your device is not already included in the stock Wazuh ruleset, you can create custom rules and decoders to analyze your logs, here's more information on how to do so: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

The logs and alerts generated by the device will appear under the Wazuh manager, agent '000' . You can create filters in Kibana to easily visualize the alerts generated by your device.

I hope you find this information useful! Let us know if you have any questions.

Best regards,
Sandra.

On Mon, Aug 2, 2021 at 9:55 AM Huy Nguyễn <buinhu...@gmail.com> wrote:

How to see syslog devices on wazuh server.  same agent on wazuh server.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9e52dafd-c872-4fe6-ab9b-9a950bc16c71n%40googlegroups.com.

[Alket Shabani]

so i did the above but i cannot see my logs in: tail -f /var/ossec/logs/archives/2022/Oct/ossec-archive-30.log

my config.. i did all IPs for testing... 

<ossec_config>
  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>0.0.0.0/0</allowed-ips>
  </remote>
</ossec_config>

[Alket Shabani]

 iptraf-ng -i ens192 shows that the data are coming 

[Alket Shabani]

is there a specific place in ossec.conf that i should put the remote config?

[Sandra Ocando]

Hi Alket,

IPTraf can show events that reach the network interface but are blocked by the system's firewall.
To ensure logs are allowed to reach Wazuh, make sure that the configured port and protocol are accepted by your system's firewall.

firewall-cmd --permanent --zone=public --add-port=514/udp
firewall-cmd --reload
systemctl restart firewalld 

Regarding your question about the configuration, the <remote> config can be placed in any <ossec_config> section of the manager's /var/ossec/etc/ossec.conffile.

Let us know if you have any questions.

Best regards,

Sandra.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/18e14abd-1ad1-44a2-9c32-5e459375d9fcn%40googlegroups.com.

[Alket Shabani]

hello Sandra,

thanks,, yes i used it :) and i was getting the events. what worked for me was to add the remote config under <ossec_config>, as in the beginning i had it as a separate <ossec_config>