Monitoring switch with a Wazuh server remote
678 views
Skip to first unread message
Daniele Berardi
Aug 27, 2024, 6:29:01 AM8/27/24
to Wazuh | Mailing List
Good Morning everybody,
I'm looking for monitoring a switch using syslog.
I saw this pages
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html
I'm looking for monitoring a switch using syslog.
I saw this pages
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html
But I can't see the part how to connect to a remote Wazuh Server.
In my case the Wazuh server is on a VM in cloud, the agents installed on the pc work very well, but with the configuration to monitoring the switch I have some problems.
In my case the Wazuh server is on a VM in cloud, the agents installed on the pc work very well, but with the configuration to monitoring the switch I have some problems.
Someone can help me?
Lamya Imam
Aug 27, 2024, 7:36:56 AM8/27/24
to Wazuh | Mailing List
Hello Daniele Berardi,
First, configure your Switch to forward log to remote syslog server.
There are different ways of log collection methods in Wazuh for agentless network devices.
You can forward the logs to a Syslog server and use localfile to forward the logs in Wazuh or you can directly forward the logs to Wazuh via Syslog forwarding.
If you want to forward the logs using Rsyslog you can follow this documentation:
https://wazuh.com/blog/monitoring-network-devices/
In order to forward Switch logs directly to your Wazuh server, you can configure log collection via remote Syslog:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html#configuring-syslog-on-the-wazuh-server
This would entail adding a block similar to the following to your ossec.conf file:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
The allowed-ips label is mandatory. The configuration will not take effect without it.
If you need a more detailed configuration, here's the documentation with all the parameters you can include in the remote block:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html#remote
Next, check if relevant logs are forwarded to your Wazuh manager.
For this, You can try the following steps:
Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation:
Wazuh Documentation | logall
This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.log file.
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Look for if there are any logs inside the archive log which is relevant. Use grep parameters related to the logs:
cat /var/ossec/logs/archives/archives.log | grep Keywoard
Test those logs using log-test to find out if logs are decoded by decoders and rules.
Check this document to get help with the logtest tool:
https://documentation.wazuh.com/current/user-manual/ruleset/testing.html#testing-decoders-and-rules
Based on the findings of your logtest write custom decoders and rules:
Custom decoders
Custom rules
Check this document for Ruleset XML syntax:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.html#ruleset-xml-syntax
Hope this helps! Let me know if you need further assistance on this!
First, configure your Switch to forward log to remote syslog server.
There are different ways of log collection methods in Wazuh for agentless network devices.
You can forward the logs to a Syslog server and use localfile to forward the logs in Wazuh or you can directly forward the logs to Wazuh via Syslog forwarding.
If you want to forward the logs using Rsyslog you can follow this documentation:
https://wazuh.com/blog/monitoring-network-devices/
In order to forward Switch logs directly to your Wazuh server, you can configure log collection via remote Syslog:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html#configuring-syslog-on-the-wazuh-server
This would entail adding a block similar to the following to your ossec.conf file:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
The allowed-ips label is mandatory. The configuration will not take effect without it.
If you need a more detailed configuration, here's the documentation with all the parameters you can include in the remote block:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html#remote
Next, check if relevant logs are forwarded to your Wazuh manager.
For this, You can try the following steps:
Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation:
Wazuh Documentation | logall
This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.log file.
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Look for if there are any logs inside the archive log which is relevant. Use grep parameters related to the logs:
cat /var/ossec/logs/archives/archives.log | grep Keywoard
Test those logs using log-test to find out if logs are decoded by decoders and rules.
Check this document to get help with the logtest tool:
https://documentation.wazuh.com/current/user-manual/ruleset/testing.html#testing-decoders-and-rules
Based on the findings of your logtest write custom decoders and rules:
Custom decoders
Custom rules
Check this document for Ruleset XML syntax:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.html#ruleset-xml-syntax
Hope this helps! Let me know if you need further assistance on this!
Daniele Berardi
Aug 29, 2024, 3:25:22 AM8/29/24
to Wazuh | Mailing List
Good Morning Lamya,
I follow the guide and the log is correctly received to syslog.
I try to make a decoder for the logs, but it doesn't work.
I try with rules test and the log is decoded with symantec decoder.
How can I do?
I follow the guide and the log is correctly received to syslog.
I try to make a decoder for the logs, but it doesn't work.
I try with rules test and the log is decoded with symantec decoder.
How can I do?
Thanks you to support!
Lamya Imam
Aug 29, 2024, 4:53:34 AM8/29/24
to Wazuh | Mailing List
Hello Daniele Berardi,
At first, we need to make sure that the log from syslog server is forwarded to Wazuh.
Could you please share the log from archives.json file of your Wazuh manager?
cat /var/ossec/logs/archives/archives.log | grep Keywoard
To enable archives.json log, set the <logall_json>yes</logall_json> to yes at /var/ossec/etc/ossec.conf file. You will then be able to observe the incoming log generated by your endpoint.
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Reference: https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving
Let me know!
At first, we need to make sure that the log from syslog server is forwarded to Wazuh.
Could you please share the log from archives.json file of your Wazuh manager?
cat /var/ossec/logs/archives/archives.log | grep Keywoard
To enable archives.json log, set the <logall_json>yes</logall_json> to yes at /var/ossec/etc/ossec.conf file. You will then be able to observe the incoming log generated by your endpoint.
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Let me know!
Daniele Berardi
Aug 29, 2024, 5:58:27 AM8/29/24
to Wazuh | Mailing List
Hello,
Filtering with DPW-SW1, I try with logger test from the switch, and this is the result from archive.log
2024 Aug 29 11:42:45 DPW-SW1->/var/log/syslog Aug 29 11:42:44 DPW-SW1 74acb943ac7a,US-24-G1-7.0.50+15613: user: test
Lamya Imam
Aug 29, 2024, 9:43:34 AM8/29/24
to Wazuh | Mailing List
Hi
As Wazuh is receiving the log from the syslog server,
The log that you have provided is a generic information level log where the rules are usually set to level 0. It is already detected by Wazuh but not shown in the dashboard due to its level being 0.[Screenshot provided for reference].
If you want to see the alerts for information level logs on your dashboard, you can create a custom rule based on the existing rules.
For example:
For the existing rule id 7300, which was detected from the log " Aug 29 11:42:44 DPW-SW1 74acb943ac7a,US-24-G1-7.0.50+15613: user: test"
We can create the custom rule like this:
<group name="symanteclog,">
<rule id="100010" level="10">
<if_sid>7300</if_sid>
<hostname>Agent_name</hostname>
<description>Custom Informational Symantec AV rules.</description>
</rule>
</group>
Creating custom rules will depend on the logs that you are receiving. Similarly you can create custom rules for alerts as shown above.
Hope this answers your question!
As Wazuh is receiving the log from the syslog server,
The log that you have provided is a generic information level log where the rules are usually set to level 0. It is already detected by Wazuh but not shown in the dashboard due to its level being 0.[Screenshot provided for reference].
If you want to see the alerts for information level logs on your dashboard, you can create a custom rule based on the existing rules.
For example:
For the existing rule id 7300, which was detected from the log " Aug 29 11:42:44 DPW-SW1 74acb943ac7a,US-24-G1-7.0.50+15613: user: test"
We can create the custom rule like this:
<group name="symanteclog,">
<rule id="100010" level="10">
<if_sid>7300</if_sid>
<hostname>Agent_name</hostname>
<description>Custom Informational Symantec AV rules.</description>
</rule>
</group>
Creating custom rules will depend on the logs that you are receiving. Similarly you can create custom rules for alerts as shown above.
Hope this answers your question!
Daniele Berardi
Aug 29, 2024, 10:34:06 AM8/29/24
to Wazuh | Mailing List
Hello Lamya,
Thanks you for the answer.
It's all correct that you say, I didn't see the rule level set to 0.
Trying the log that I sent to test with ruleset test, it's decoded with symantec, so that isn't a problem to appear on discovery, is it correct?
Now, I modified this one on 10. I repeat the log test, but nowhere agentless.host:* events in Discover.
This filter is correct or am I wronging something?
Thanks you for the answer.
It's all correct that you say, I didn't see the rule level set to 0.
Trying the log that I sent to test with ruleset test, it's decoded with symantec, so that isn't a problem to appear on discovery, is it correct?
Now, I modified this one on 10. I repeat the log test, but nowhere agentless.host:* events in Discover.
This filter is correct or am I wronging something?
Lamya Imam
Sep 2, 2024, 9:27:21 AM9/2/24
to Wazuh | Mailing List
Hello
Daniele Berardi,
No issues! It will appear on discovery once the log is forwarded to Wazuh.
Running the log test will not make it happen, as it is only used for testing the decoders and rules.
I believe you can see the generated logs from archives.json log.
Once the log is forwarded to Wazuh, the rule will trigger the alert and show it on the Dashboard.
Let me know if you need further assistance on this!
No issues! It will appear on discovery once the log is forwarded to Wazuh.
Running the log test will not make it happen, as it is only used for testing the decoders and rules.
I believe you can see the generated logs from archives.json log.
Once the log is forwarded to Wazuh, the rule will trigger the alert and show it on the Dashboard.
Let me know if you need further assistance on this!
Reply all
Reply to author
Forward
0 new messages