Trend Vision One XDR integration with WAZUH 4.14
13 views
Skip to first unread message
Suvadip Ghosh
Jun 9, 2026, 8:53:03 AM (4 days ago) Jun 9
to Wazuh | Mailing List
Dear Team,
I have a running TrendMicro vision one as a SAAS solution for my environment, and I have a running wazuh in AWS in private subnet.
Help me to integrate vision one logs in wazuh.
I have a running TrendMicro vision one as a SAAS solution for my environment, and I have a running wazuh in AWS in private subnet.
Help me to integrate vision one logs in wazuh.
Thanks,
Olamilekan Abdullateef Ajani
Jun 9, 2026, 10:59:41 AM (3 days ago) Jun 9
to Wazuh | Mailing List
Hello,
Since Vision one is a SAAS application and your Wazuh instance is deployed in a private subnet on AWS, I would recommend the following direction.
Vision One SaaS (over TLS) TO rsyslog relay/log collector on EC2 - public subnet TO Wazuh Manager IN private subnet.
The first thing to do is install an rsyslog relay on any of your public subnets. Configure rsyslog to receive syslog events and enable the TCP or UDP settings by editing the /etc/rsyslog.conf file. Then ensure rsyslog write incoming Vision One logs to a dedicated log file. Example:
/var/log/visionone.log
Then on the Vision One side side, you need to configure it to forward logs to the rsyslog server you just created/configured. You can reference the documentation below:
https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-syslog-connector-premises
Take note of the port, protocol, and relevant information so as to mirror the same on both ends.
https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-syslog-connector-premises
Take note of the port, protocol, and relevant information so as to mirror the same on both ends.
Lastly, install an agent on the rsyslog connector to read from the visionone.log file created earlier, which is to be forwarded to the Wazuh manager for decoding.
One option to check if the manager is receiving the events is to enable (temporarily) the logall option and check the /var/ossec/logs/archives/archives.json file to see if there are any log events coming from that remote rsyslog server. Remember to restart the manager after making any changes to the configuration.
One option to check if the manager is receiving the events is to enable (temporarily) the logall option and check the /var/ossec/logs/archives/archives.json file to see if there are any log events coming from that remote rsyslog server. Remember to restart the manager after making any changes to the configuration.
Once done, you may need to write custom decoders and rules for the logs, you can refer to the documentation below. But if you require further assistance on writing those decoders and rules, please let me know.
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
Reply all
Reply to author
Forward
0 new messages