Hi,
Yes, the wazuh-manager
can be configured to receive events via remote syslog. You can find the related documentation here https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog
Basically, you will have to add a block like the following in the /var/ossec/etc/ossec.conf
file of your wazuh-manager
.
<remote>
<connection>syslog</connection>
<port>513</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.0/24</allowed-ips>
</remote>
Note: Change
port
,protocol
andallowed-ips
values to yours
After restarting wazuh-manager
(systemctl restart wazuh-manager
) you will start receiving events sent by remote syslog.
You will probably have to create custom decoders and/or rules to generate the alerts in the cases you want.
Checks to validate your configuration and reception of events
# netstat -tunap | grep wazuh
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN 1408/wazuh-remoted
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN 1407/wazuh-remoted
tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 1127/wazuh-authd
wazuh-manager
is receiving the events. To do this you can temporarily enable the <logall>yes</logall>
option in your wazuh-manager
/var/ossec/etc/ossec.conf
file to store all received events in the /var/ossec/logs/archives/archives.log
file. By looking at the contents of that file or monitoring it (for example with tail -f
) you can see if the wazuh-manager
receives the events sent by McAfee Epo syslog
. You can use these events to build the regex of your decoders and/or rules.Note: Remember to disable when you finish the
<logall>
and restart thewazuh-manager
to avoid all logging of events in that file and possibly unnecessary disk usage.
I hope this information helps you, if you have any questions about it don’t hesitate to ask.
Regards.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/G7FXox07gPM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/84ef9cd5-ff7a-4e18-8ac5-05a16a6b9f31n%40googlegroups.com.
Hi,
Can you share the configuration you have applied?
Note the network range you have applied in the <allowed-ips>x.x.x.x.x/xx</allowed-ips>
configuration. Perhaps the IP is not included in that range and is blocking such communication.
Have you checked in the wazuh-manager
part if it is receiving information from such events?
If possible, I would try to configure remote syslog on the host where you want to send the events (you can find info here https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/), and see if the same problem still occurs (to rule out that it is a problem of the software you are using to send the events).
Regards.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7e8cf37c-1e1a-4688-9815-5b11971e4dc6n%40googlegroups.com.