TLS Syslog Devices configuration
775 views
Skip to first unread message
Nithin Jose
Jun 7, 2022, 8:12:31 AM6/7/22
to Wazuh mailing list
Hi Connection,
Please support me to know how to configure secure Syslog devices( (via TLS Syslog port 6514) in wazuh.
Best Regards,
Nithin Jose
Emiliano Zorn
Jun 7, 2022, 5:13:22 PM6/7/22
to Wazuh mailing list
Configure SSL/TLS for rsyslog
If you need, you can configure SSL/TLS with RSyslog for a secure communication: How to Configure rsyslog Server to Accept Logs via SSL/TLS
Troubleshooting Syslog data collection
We need to check if the Manager is receiving the log entries and if it is converting them in Alerts. The manager works in this way:
If you need, you can configure SSL/TLS with RSyslog for a secure communication: How to Configure rsyslog Server to Accept Logs via SSL/TLS
Troubleshooting Syslog data collection
We need to check if the Manager is receiving the log entries and if it is converting them in Alerts. The manager works in this way:
- The manager receives the log entry
- The log entry is evaluated against the decoders in order to know there is any decoder that can parses the log. If not, the log entry is dropped.
- If any decoder is matched, then it is evaluated against the rule set, and if it matches with any rule, the log entry is converted into an Alert, and grabbed in the alerts.json|log file.
That being said, we need to know first, if the logs are reaching the Wazuh Server, for this, a TCP dump is needed:
tcpdump -i any <protocol> -nn port 514 -AAThis command must be run in the Wazuh Manager serverIf you see packets incomming from the IP of the device sending the syslog, we need to check if the logs are being processed by the Wazuh Manager. To check this, we can enable the archives.json file, which will be populated with ALL the log entries received by the manager. To enable it, we need to modify the configurations of the ossec.conf file:
vi /var/ossec/etc/ossec.conf
<ossec_config>
vi /var/ossec/etc/ossec.conf
<global>
...
<logall_json>yes</logall_json>
...
</global>
Then we need to restart the Wazuh Manager service:
systemctl restart wazuh-manager
After restarting the Wazuh Manager service, we should start seeing some log entries in the archives.json file:
cat /var/ossec/logs/archives/archives.json | grep '"location":"<DEVICE-IP"'
{"timestamp":"2021-07-04T20:39:03.960+0000","rule":{"level":3,"description":"syslog: Physical root login.","id":"2505","firedtimes":1,"mail":false,"groups":["syslog","access_control"],"pci_dss":["10.2.2"],"gpg13":["7.8"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"012","name":"kefbir","ip":"10.10.10.90"},"manager":{"name":"theshire"},"id":"1625431143.753095","full_log":"Jul 4 20:39:03 kefbir login[424406]: ROOT LOGIN on '/dev/tty1'","predecoder":{"program_name":"login","timestamp":"Jul 4 20:39:03","hostname":"kefbir"},"decoder":{},"location":"<DEVICE-IP>"}systemctl restart wazuh-manager
After restarting the Wazuh Manager service, we should start seeing some log entries in the archives.json file:
cat /var/ossec/logs/archives/archives.json | grep '"location":"<DEVICE-IP"'
The key here, is to look for the IP of the device is sending the syslog, you can grep to the string '"location":"<DEVICE-IP>"'
If it is there, you will see (as in our example) the rule and decoder matching it, in our example:
"rule":{"level":3,"description":"syslog: Physical root login." ...
"decoder":{}If it is there, you will see (as in our example) the rule and decoder matching it, in our example:
If no information about the decoder and/or rule, it means no decoder is matching it, and there is no rule to convert it to an alert.Creating Decoders and Rules
If the logs are arriving to archives and not the alerts file, you need to create a decoder (and a rule or set of rules) for matching the logs from your log file:
If the logs are arriving to archives and not the alerts file, you need to create a decoder (and a rule or set of rules) for matching the logs from your log file:
Once you created a decoder and rules for those logs, they will match the rules and will be converted into an alert and you will see this reflected in the alerts.json file:
cat /var/ossec/logs/alerts/alerts.json | grep '"location":"/tmp/test-log.log"'
cat /var/ossec/logs/alerts/alerts.json | grep '"location":"/tmp/test-log.log"'
Hope this helps!.
Nithin Jose
Jun 8, 2022, 3:54:11 AM6/8/22
to Wazuh mailing list
Hi Emilla,
Thanks for your reply, do we need to apply any configuration changes in ossec.conf file in Wazuh Manager. to receive secure syslog on port 6514.
Best Regards,
Nithin Jose
Emiliano Zorn
Jun 13, 2022, 4:27:22 PM6/13/22
to Wazuh mailing list
Hello Nithin!
Yes, you must modify the port in the Remote section, here is a guide detailing the Syslog integration settings.
Regards,
Emiliano Zorn.
Nithin Jose
Jun 15, 2022, 4:51:18 AM6/15/22
to Wazuh mailing list
Hi Emila,
Thanks for your reply, do Wazuh have support to configure "secure syslog" as an inbuilt function.
Best Regards,
Nithin Jose
Emiliano Zorn
Jun 22, 2022, 5:35:39 PM6/22/22
to Wazuh mailing list
Hello team! Sorry for the late reply.
I don't understand what you mean by "Secure syslog". Anyway, Wazuh can run on a wide range of operative systems, but when it is not
possible due to software incompatibilities or business restrictions, you
can forward syslog events to your environment. This is a common use case for network devices such as routers or firewalls.
Here's the documentation for this.
Let me you if this helps you.
Regards.
Reply all
Reply to author
Forward
0 new messages