Wazuh TLS

[Jorge Moya Albarran]

Good afternoon,

We are trying to integrate an EDR (Coro Cybertix) into Wazuh's Syslog, but we have not been able to do so.

Looking at the manufacturer's information, we see that the connection has to be TLS. Does the syslog part of Wazuh support TLS?

 

And if it does, how could I configure it?

Kind regards.

[Olamilekan Abdullateef Ajani]

Hello Jorge,

Wazuh Server communication with the agent is secure, as the message protocol uses AES encryption by default, with 128 bits per block and 256-bit keys. More about this here. The situation is not the same for logging over syslog, as this does not support TLS. You can find configurable options in the documentation below:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html

That being said, what you need is an intermediary, and this is where rsyslog comes into play, because it can support TLS between it and your EDR. Then you can install the Wazuh agent on the rsyslog server to capture the log and forward it to the Wazuh manager via an encrypted channel for decoding. I have shared configuration options below for TLS over syslog for your reference.

https://documentation.solarwinds.com/en/success_center/loggly/content/admin/rsyslog-tls-configuration.htm

https://www.rsyslog.com/doc/tutorials/tls.html
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html

Please let me know if you require further clarification on this.