send logs from Mikrotik to wazuh

[Madison !]

hello team. COuld you help me to find global settings to add the settings. Earlier i could find it in web interface, but now i could not find it the global setting of wazuh manager. My version is 4.1

<remote> <connection>syslog</connection> <port>514</port> <protocol>tcp</protocol> <allowed-ips>192.168.1.0/24</allowed-ips> <local_ip>192.168.1.5</local_ip> </remote>

[Alexander Bohorquez]

Hello Madiartumarbayev,

Thank you for using Wazuh!

To access the global configuration of your manager you can do it both from the UI and from the terminal of the server.

To access from the UI:

You can select the Wazuh Menu > Management > Administrator > Configuration:

Inside, you'll find the configuration of your manager or managers if you have a Wazuh cluster:

On the other hand, to access from the terminal. The configuration is in the file /var/ossec/etc/ossec.conf.

I see you mention that you want to receive logs from Mikrotik with Wazuh. To do this, effectively one of the steps is to add a "remote" configuration block to your ossec.conf. This must be not within the "<global>" setting. This must be inside "<ossec_config>".

Here is an example with the configuration you mentioned: 

Reference: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html#example-of-configuration

With this configuration, you can start receiving Mikrotik events in your manager but you will have to create custom decoders and rules to generate alerts when these logs arrive in the manager. These generated alerts are the events you will see on the discover page of Kibana.

To create custom decoders and rules you can have a look at the following documentation links:

• Custom rules and decoders
• Rules Syntax
• Decoders Syntax

Once you have created them, try using the logtest tool to verify that the logs will generate alerts properly when they arrive to the manager. This tool is located at /var/ossec/bin/wazuh-logtest. Reference: wazuh-logtest.

I hope this helps, please let me know if you have more questions!

[Madison !]

thank you for quick response. DOes it mean that i should add remote settings for syslog in the  /var/ossec/etc/ossec.conf.    not in the global settings?  last question is local ip is an ip address of Mikrotik? 

среда, 29 сентября 2021 г. в 22:50:46 UTC+6, alexander...@wazuh.com:

[Alexander Bohorquez]

Hello  Madiartumarbayev ,

Answering your questions,

"thank you for the quick response. Does it mean that I should add remote settings for Syslog in the  /var/ossec/etc/ossec.conf.  not in the global settings?" Yes, you should add another remote block to your configuration and shouldn't be inside of the global section. It should be inside of the "<ossec_config>" section as I explained above in the example.

"last question is local IP is an IP address of Mikrotik?" No, the Local IP address is used to listen for connections, this would be the IP address of your Wazuh manager and the "allowed-ips" are the list of IP addresses that are allowed to send Syslog messages to the server. In this case, the IP address of your Mikrotik.

I hope this helps. Please let me know if you have any other questions.

[Madison !]

alexander i added below bulnerability detector. where i can see the logs of mikrotit? 

  </vulnerability-detector>

<remote>

  <connection>syslog</connection>

  <port>514</port>

  <protocol>tcp</protocol>

  <allowed-ips>172.20.1.0/24</allowed-ips>

  <local_ip>172.20.1.4</local_ip>

</remote>

  <!-- File integrity monitoring -->

  <syscheck>

    <disabled>no</disabled>

четверг, 30 сентября 2021 г. в 00:59:03 UTC+6, alexander...@wazuh.com:

[Alexander Bohorquez]

Hello Madiartumarbayev,

If you have correctly configured both the Mikrotik to send the logs, and the wazuh-manager to receive them, then you will see the logs stored as events in the file /var/ossec/logs/archives/archives.log.

This file contains all the events received by the wazuh-manager (Even if they do not match any rule or decoder), so in case you have more agents connected, it might be easier to filter this file by the device hostname or IP address. For example:

# grep <firewall_ip> var/ossec/logs/archives/archives.log

By default, the option to store these events in the archives.log file is disabled, as,  in environments where there are many agents and events per second, this can cause the disk to fill up in a short time. To enable it you will have to change in the /var/ossec/etc/ossec.conf the option "<logall>":

<logall>no</logall>

To:

<logall>yes</logall>

And then, restart the wazuh-manager

# systemctl restart wazuh-manager

After this, you will be able to see if the wazuh-manager is receiving the device logs correctly by checking if any event corresponding to the firewall is stored in the /var/ossec/logs/archives/archives.log. 

NOTE: remember to disable the "logall" option in the manager and restart the service after finishing the troubleshooting. 

As mentioned previously, in this case, you will have to create custom decoders and rules to generate alerts when these logs arrive in the manager. These generated alerts are the events you will see on the discover page of Kibana.

To create custom decoders and rules you can have a look at the following documentation links:

• Custom rules and decoders
• Rules Syntax
• Decoders Syntax

Once you have created them, try using the logtest tool to verify that the logs will generate alerts properly when they arrive to the manager. This tool is located at /var/ossec/bin/wazuh-logtest. Reference: wazuh-logtest.

I hope this information helps. Please let us know if you have any other questions.