Wazuh agentless monitoring
Utkarsh Bhargava
Stuti Gupta
Hi Uthkarsh.
Hope you are doing well toady and thank your for using wazuh.
Agentless monitoring refers to a type of endpoint monitoring that does not require the installation of an agent or software. This approach uses existing protocols to access and gather information from the monitored endpoint.
The Wazuh agentless monitoring capability uses the SSH (Secure Shell) protocol to collect and transfer events from endpoints to the Wazuh. The agentless monitoring is limited and does not provide all the capabilities contained in the Wazuh agent. You can configure the Wazuh agentless monitoring module to monitor files, directories, and Cisco PIX firewall and router configurations. If there is a change to the monitored files and directories or the configuration of the firewall or router, this triggers an alert.
To know more about this you can refer to https://documentation.wazuh.com/current/user-manual/capabilities/agentless-monitoring/index.html
To forward syslog events to your environment, is better to use tools like rsyslog (https://www.rsyslog.com/) to forward the desired logs to the manager, and use logcollector to monitor the already forwarded logs. you can refer to https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html This is a common use case for network devices such as routers or firewalls. You can also refer to https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/ for rsyslog forwarding logs
Hope this will be helpful. Please feel free to contact us for any information/issue
Saddique Khan
udp {
port => 514
type => "syslog"
}
}
filter {
if [type] == "syslog" {
# Parse syslog messages with grok
grok {
match => { "message" => "%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:timestamp8601}|%{TIMESTAMP_ISO8601:timestamp}Z) +(?:%{IPORHOST:logsource} )?%{SYSLOGHOST:hostname} +%{DATA:syslogtag} +%{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
# You can add more filters or transformations specific to your syslog messages here
}
}
output {
# Forward syslog messages to Wazuh manager
tcp {
host => "I_put_my_wazuh_manager_IP_Here"
port => 1514
codec => "json"
}
}
Stuti Gupta
We will be glad to help you with this issue, please open another thread for that same. For that Please check out https://wazuh.com/community/. You can also refer to https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/ for rsyslog forwarding logs.
Hope this will helps
Regards
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Mr0h7dnv_dc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0b968988-49bf-4510-9452-a882c3b144a8n%40googlegroups.com.