Log Forwarding from Rsyslog client Wazuh

278 views
Skip to first unread message

sahith sobhan

unread,
Dec 2, 2021, 9:03:11 PM12/2/21
to Wazuh mailing list
Hi Team, I have a Wazuh setup where these are the components.

1,Windows Server- Log source (NX log shipper)
2, Linux Server(Rsyslog +Wazuh Agent)
3, Wazuh manager server

Steps
1-NX log to ship windows logs from Windows server in syslog format.
2-The Rsyslog installed Linux server is configured to grab those logs and save it as". Log"
3- Then the Wazuh agent is configured in the same Linux system to take those ".log files and send them to Wazuh.
4-Wazuh grabs the files and index the alerts.

This was the idea and it works until steps 3, How ever Wazuh is not grabbing the particular log file, but able to get other local logs of the Rsyslog installed Linux machine.

How ever the logs are sent directly from Windows Server to Wazuh  using the NX log it works.
Appreciate the help your experts in this issue.



Thank You
Sahith

antonio....@wazuh.com

unread,
Dec 3, 2021, 3:34:08 AM12/3/21
to Wazuh mailing list

Hello, sahithsobhan.
First of all, we will need more information about the setup that you are using:

  • Wazuh Version
  • Operative System

In order to check if the event arrives at the manager, you can enable the log_all option. This option makes the Wazuh manager store all the logs (even if they are not creating an alert) to the files /var/ossec/logs/archives/archives.log|.json. More about this option here

  • If the event arrives at the manager but it’s not creating the alert, this will mean that you need to set up some rules and recorders for the specific logs that are recorded. You can find more information on this page of the documentation

  • If the event doesn’t arrive at the manager (and it’s not logged in the archives file), this will mean that the manager is not collecting those logs, and you will need to check your configuration.

One other thing that I would like to comment is that there is a Windows agent that can take logs from the event channel. You may want to take a look and see if it can fit your needs. In this link of the documentation, you can find which kind of logs can the Wazuh agent send to the manager.

Reply all
Reply to author
Forward
0 new messages