Integrating Manage Engine PAM logs to On-Prem Wazuh server
16 views
Skip to first unread message
Sushant Pansare
Mar 23, 2026, 4:41:22 AM (3 days ago) Mar 23
to Wazuh | Mailing List
Dear Team,
We want to integrate our on-prem ManageEngine PAM application logs to Wazuh and need steps on how to achieve this.
Message has been deleted
Message has been deleted
hasitha.u...@wazuh.com
Mar 23, 2026, 5:13:27 AM (3 days ago) Mar 23
to Wazuh | Mailing List
Hi Sushant,
I believe Manage Engine PAM logs can be forwarded through syslog. Please check this guide for more details:
Ref: https://www.manageengine.com/products/applications_manager/siem-integration.html
If possible, please forward the PAM syslog traffic to the Wazuh server IP over TCP port 514. After that, you can follow the steps on the Wazuh side to start receiving and processing those logs.
There are two ways to collect remote syslog: one is capturing the logs using tools like rsyslog, and forwarding the logs using the Wazuh agent localfile config. The second option is the remote syslog monitoring capability of Wazuh. If you followed the remote syslog monitoring from Wazuh, then you need to follow this. Add the following configuration in between the <ossec_config> tags of the Wazuh server /var/ossec/etc/ossec.conf file to listen for syslog messages on TCP port 514:
You can enable archives.json logging on the Wazuh manager, then simulate PAM-related events and capture the logs directly from archives.json. By default, archive logs are disabled due to high storage consumption. Edit the /var/ossec/etc/ossec.conf file and add this:
This will log all events to /var/ossec/logs/archives/archives.json, so you can see everything your manager is picking up.
Check the Archive Logs: Now, let’s look for PAM-related logs in the archive: cat /var/ossec/logs/archives/archives.json | grep keyword
Replace keyword with sample log unique content.
Warning Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager: systemctl restart wazuh-manager
Once you verify logs receiving to the archives.json logs, which means logs reaching the manager, but not showing in the dashboard, can be a common issue if the decoders and rules are not matched by default, therefore you can share sample logs from the archives.json logs so then I can replicate on my end and I can share the sample decoders and rules based on the logs.
Because in the archives.json logs, we can see the field full_log: "actual log sample", which is the one being parsed by analysis. Therefore, please share the sample logs so we can assist further.
You can check the sample logs from the PAM with /var/ossec/bin/wazuh-logtest to verify the default decoders and rules applying to the sample logs.
Ref:
Decoders Syntax - Ruleset XML syntax
Custom Decoders
Wazuh Regex
Custom rules
Rule syntax
Let me know the update on this to check further.
I believe Manage Engine PAM logs can be forwarded through syslog. Please check this guide for more details:
Ref: https://www.manageengine.com/products/applications_manager/siem-integration.html
If possible, please forward the PAM syslog traffic to the Wazuh server IP over TCP port 514. After that, you can follow the steps on the Wazuh side to start receiving and processing those logs.
There are two ways to collect remote syslog: one is capturing the logs using tools like rsyslog, and forwarding the logs using the Wazuh agent localfile config. The second option is the remote syslog monitoring capability of Wazuh. If you followed the remote syslog monitoring from Wazuh, then you need to follow this. Add the following configuration in between the <ossec_config> tags of the Wazuh server /var/ossec/etc/ossec.conf file to listen for syslog messages on TCP port 514:
- <remote>
- <connection>syslog</connection>
- <port>514</port>
- <protocol>tcp</protocol>
- </remote>
You can enable archives.json logging on the Wazuh manager, then simulate PAM-related events and capture the logs directly from archives.json. By default, archive logs are disabled due to high storage consumption. Edit the /var/ossec/etc/ossec.conf file and add this:
- <ossec_config>
- <global>
- <logall_json>yes</logall_json>
- </global>
- </ossec_config>
This will log all events to /var/ossec/logs/archives/archives.json, so you can see everything your manager is picking up.
Check the Archive Logs: Now, let’s look for PAM-related logs in the archive: cat /var/ossec/logs/archives/archives.json | grep keyword
Replace keyword with sample log unique content.
Warning Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager: systemctl restart wazuh-manager
Once you verify logs receiving to the archives.json logs, which means logs reaching the manager, but not showing in the dashboard, can be a common issue if the decoders and rules are not matched by default, therefore you can share sample logs from the archives.json logs so then I can replicate on my end and I can share the sample decoders and rules based on the logs.
Because in the archives.json logs, we can see the field full_log: "actual log sample", which is the one being parsed by analysis. Therefore, please share the sample logs so we can assist further.
You can check the sample logs from the PAM with /var/ossec/bin/wazuh-logtest to verify the default decoders and rules applying to the sample logs.
Ref:
Decoders Syntax - Ruleset XML syntax
Custom Decoders
Wazuh Regex
Custom rules
Rule syntax
Let me know the update on this to check further.
Reply all
Reply to author
Forward
0 new messages