Naming Syslog

[Tom Hancock]

I have several devices pushing to my wazuh-manager via the syslog, they are now all reporting as wazuh-manager. Is there a way to label them so that I can put them into groups based on their source IP or any of the fields from decoding the logs?

This happens to be several Fortigate Firewalls sending to the syslog and I want to distinguish in groups as we have different teams monitoring the data from the different Firewalls and would like to make it easier to display on the Kibana dashboard.

I could not find anything in the forums on this topic.

Thank you.

[Juan Pablo Saez]

Hi Tom, 

Let me recreate your environment and check the best way to tag the messages and easily distinguish between the two different events sources.

Greetings, JP Sáez  

[Juan Pablo Saez]

Hi Tom,

Is there a way to label them so that I can put them into groups based on their source IP or any of the fields from decoding the logs?

I think you can get these different perspectives for the different teams using the discover tab and combining the proper Kibana filters.  As these events always belong to the Syslog group you should combine the Syslog group filter with the location filter to perform the most accurate queries.

i.e: These two machines are reporting to the Wazuh manager through Syslog:

• machine 1 IP: 192.168.33.32
• machine 2 IP: 192.168.33.170

Filters to check only logs from the machine 1: rule.groups : "syslog" and location : "192.168.33.32"

Filters to check only logs from the machine 2: rule.groups : "syslog" and location : "192.168.33.170"

I hope it helps. Let me know if you need something else.

Greetings JP Sáez

El jueves, 10 de octubre de 2019, 15:22:23 (UTC+2), Tom Hancock escribió:

[Tom Hancock]

Good day, Juan

Thank you for the suggestion. I wanted to see how to do it graphically (for the dashboard) but if I need to go the route of the logs themselves then it is not a problem.

As soon as I get my environment working again I will demonstrate the filtering to the team for them to get used to it.

My docker-nginx is giving a bad gateway (502) all of a sudden.

Appreciate how quickly you got back to me, thank you.

[Juan Pablo Saez]

Hi again Tom,

Yesterday I tried to combine different visualizations in Kibana to fetch the data easily. I think it can be cool for your team:

First, you should create a new dashboard to contain the three visualizations (IP dropdown list, the alerts list, and the Syslog alerts chart).

Now you should create each of the three visualizations:

1. IP Dropdown menu visualization

2. Discover visualization: This visualization lets you view the alerts while you are applying the location filters with the IP dropdown selector. You should create this visualization from the discover tab.

3. Chart visualization

After the creation of this 3 visualizations, you can create a dashboard like the one I showed above by adding the 3 visualizations together:

Let me know if it helps.

Best regards, JP Sáez

[Thomas Hancock]

Thank you for your help Juan

I will implement it in this way. 

I appreciate the effort to assist.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/K0pMtDXvL8k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8ac605bb-1671-41f0-a8fa-04ea7d377dcb%40googlegroups.com.

--

"You will do what you will do." - Raphe Preeg

[Juan Pablo Saez]

Hi Thomas,

let me know if you need further guidance on this.

Best regards, JP Sáez

To unsubscribe from this group and all its topics, send an email to wazuh+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8ac605bb-1671-41f0-a8fa-04ea7d377dcb%40googlegroups.com.