Logging from Mikrotik to Wazuh
1,135 views
Skip to first unread message
King Arthur
May 22, 2024, 5:24:38 AM5/22/24
to Wazuh | Mailing List
Hi All,
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender. Any use, dissemination, distribution, or reproduction of this message by unintended recipients is not authorised and may be unlawful. Watu Credit accepts no liability whatsoever for any loss, direct, indirect or consequential, arising from information made available and actions resulting there from.
Has anyone implemented logging from Mikrotik (RB4011iGS+) running v7.12.1 to wazuh?
Really need assistance to have this in place.
Really need assistance to have this in place.
Thanks!
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender. Any use, dissemination, distribution, or reproduction of this message by unintended recipients is not authorised and may be unlawful. Watu Credit accepts no liability whatsoever for any loss, direct, indirect or consequential, arising from information made available and actions resulting there from.
Lamya Imam
May 24, 2024, 5:49:38 AM5/24/24
to Wazuh | Mailing List
Hello Arthur,
I believe you’re setting up your Mikrotik router to send its logs to your Wazuh server.
There are several ways by which you can forward syslogs from network devices to Wazuh server.
You can either forward syslog directly to the Wazuh manager or via an agent using rsyslog.
To directly forward syslog to the Wazuh manager you can follow these steps:
Set up Syslog on Mikrotik:
- Open Mikrotik settings.
- Go to System > Logging.
- Add a new action:
remote
Address: Your Wazuh Server IP
Port: 514
Configure Wazuh to Receive Logs:
- Edit the Wazuh config file (/var/ossec/etc/ossec.conf).
- Add this block:
<remote>
<connection>syslog</connection>
<port>514</port>
</remote>
- Restart Wazuh manager:
systemctl restart wazuh-manager
After you have correctly configured both the Mikrotik to send the logs, and the wazuh-manager to receive them, then you will see the logs stored as events in the file /var/ossec/logs/archives/archives.log. Make sure you have changed <logall>no</logall> to <logall>yes</logall> from the manager’s configuration file to enable archive logs.
To learn more about how to forward syslog events, check out this documentation here
Alternatively, you can configure rsyslog client to send events to Wazuh manager.
Here is a step-by-step guideline on how to configure rsyslog client.
Then you can follow the steps mentioned in this blog which provides a walkthrough on using Wazuh to monitor a MikroTik router: https://wazuh.com/blog/monitoring-network-devices/
After forwarding the logs if the alerts are not reflected on the dashbaord you may need to enable archive logs and see if the logs are actually forwarded or not. However, if the logs are in the archive but not generating alerts you may need to write a decoder and rules to trigger alerts based on the log.
Reerence: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Feel free to knock me if you have any questions.
I believe you’re setting up your Mikrotik router to send its logs to your Wazuh server.
There are several ways by which you can forward syslogs from network devices to Wazuh server.
You can either forward syslog directly to the Wazuh manager or via an agent using rsyslog.
To directly forward syslog to the Wazuh manager you can follow these steps:
Set up Syslog on Mikrotik:
- Open Mikrotik settings.
- Go to System > Logging.
- Add a new action:
remote
Address: Your Wazuh Server IP
Port: 514
Configure Wazuh to Receive Logs:
- Edit the Wazuh config file (/var/ossec/etc/ossec.conf).
- Add this block:
<remote>
<connection>syslog</connection>
<port>514</port>
</remote>
- Restart Wazuh manager:
systemctl restart wazuh-manager
After you have correctly configured both the Mikrotik to send the logs, and the wazuh-manager to receive them, then you will see the logs stored as events in the file /var/ossec/logs/archives/archives.log. Make sure you have changed <logall>no</logall> to <logall>yes</logall> from the manager’s configuration file to enable archive logs.
To learn more about how to forward syslog events, check out this documentation here
Alternatively, you can configure rsyslog client to send events to Wazuh manager.
Here is a step-by-step guideline on how to configure rsyslog client.
Then you can follow the steps mentioned in this blog which provides a walkthrough on using Wazuh to monitor a MikroTik router: https://wazuh.com/blog/monitoring-network-devices/
After forwarding the logs if the alerts are not reflected on the dashbaord you may need to enable archive logs and see if the logs are actually forwarded or not. However, if the logs are in the archive but not generating alerts you may need to write a decoder and rules to trigger alerts based on the log.
Reerence: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Feel free to knock me if you have any questions.
Philip Ochola
May 24, 2024, 10:01:03 AM5/24/24
to Lamya Imam, Wazuh | Mailing List
Hi Lamya
Thanks for feedback.
Implemented the same however, on restart of services, i encountered below
Implemented the same however, on restart of services, i encountered below
Advice how to resolve as i cannot now see any agents
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e0db6e80-8767-46d6-8e92-682d42a10796n%40googlegroups.com.
Philip Ochola
May 24, 2024, 10:01:03 AM5/24/24
to Lamya Imam, Wazuh | Mailing List
Additionally, I am also faced with the below
AxiosError: An internal server error occurred.
at settle (https://192.168.49.91/47402/bundles/plugin/wazuh/wazuh.plugin.js:8:20234)
at XMLHttpRequest.onloadend (https://192.168.49.91/47402/bundles/plugin/wazuh/wazuh.plugin.js:8:25708)
Lamya Imam
May 27, 2024, 12:22:53 AM5/27/24
to Wazuh | Mailing List
Hello Philip,
At first, could you please tell me which method have you implemented to forward your logs to Wazuh? Have you made any additional changes after our last conversation?
The issue seems like something related to the user permission.
Do you use the admin role or other user role to access the Wazuh dashboard?
Have you recently made any changes to the user role permission? If not, I would suggest you to restart the Wazuh dashboard service and clear your browser cache and cookies.
If none of the above mentioned solution works for you, check the ossec.log file to see if there is any error.
I will be waiting for your response!
At first, could you please tell me which method have you implemented to forward your logs to Wazuh? Have you made any additional changes after our last conversation?
The issue seems like something related to the user permission.
Do you use the admin role or other user role to access the Wazuh dashboard?
Have you recently made any changes to the user role permission? If not, I would suggest you to restart the Wazuh dashboard service and clear your browser cache and cookies.
If none of the above mentioned solution works for you, check the ossec.log file to see if there is any error.
I will be waiting for your response!
Philip Ochola
May 27, 2024, 11:38:10 AM5/27/24
to Lamya Imam, Wazuh | Mailing List
Hi Lamya,
Implemented step 1 as below:
To directly forward syslog to the Wazuh manager you can follow these steps:
Set up Syslog on Mikrotik:
- Open Mikrotik settings.
- Go to System > Logging.
- Add a new action:
remote
Address: Your Wazuh Server IP
Port: 514
Configure Wazuh to Receive Logs:
- Edit the Wazuh config file (/var/ossec/etc/ossec.conf).
- Add this block:
<remote>
<connection>syslog</connection>
<port>514</port>
</remote>
- Restart Wazuh manager:
systemctl restart wazuh-manager
Set up Syslog on Mikrotik:
- Open Mikrotik settings.
- Go to System > Logging.
- Add a new action:
remote
Address: Your Wazuh Server IP
Port: 514
Configure Wazuh to Receive Logs:
- Edit the Wazuh config file (/var/ossec/etc/ossec.conf).
- Add this block:
<remote>
<connection>syslog</connection>
<port>514</port>
</remote>
- Restart Wazuh manager:
systemctl restart wazuh-manager
Question 1:
Under adding a new block, do I include the above lines into the file or edit existing lines to match as above?
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/27a7d0e8-eefa-43ae-ba15-d07318f70f4bn%40googlegroups.com.
Lamya Imam
May 28, 2024, 12:39:19 AM5/28/24
to Wazuh | Mailing List
Hi Phillip,
Usually ossec.conf does not include the syslog part by default, so you have to add this block to allow syslog into the Wazuh manager.
The configuration will be something like this:
<allowed-ips>192.168.X.X/24</allowed-ips>
<local_ip>192.168.X.X</local_ip>
</remote>
However, if this is the block you are talking about
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
The already existing <remote> block will remain as it is and not to be edited.
Also, I would suggest you to look for any errors in the ossec.log file using the following commands:
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Let me know if you have further questions!
Usually ossec.conf does not include the syslog part by default, so you have to add this block to allow syslog into the Wazuh manager.
The configuration will be something like this:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol><connection>syslog</connection>
<port>514</port>
<allowed-ips>192.168.X.X/24</allowed-ips>
<local_ip>192.168.X.X</local_ip>
</remote>
However, if this is the block you are talking about
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
The already existing <remote> block will remain as it is and not to be edited.
Also, I would suggest you to look for any errors in the ossec.log file using the following commands:
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
Let me know if you have further questions!
Lamya Imam
May 28, 2024, 12:43:46 AM5/28/24
to Wazuh | Mailing List
Hello Phillip,
I forgot to mention in the last message, my apologies.
The allowed-ips label is mandatory. The configuration will not take effect without it.
Reference:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
I forgot to mention in the last message, my apologies.
The allowed-ips label is mandatory. The configuration will not take effect without it.
Reference:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
Lamya Imam
May 30, 2024, 2:40:09 AM5/30/24
to Lamya Imam, Wazuh | Mailing List
Hi Phillip,
Let me know if you require further assistance regarding this matter.
Kind Regards,
Let me know if you require further assistance regarding this matter.
Kind Regards,
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/NShsdKajBnU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0d8f8f92-12a9-4c6f-a753-058edf4f8de0n%40googlegroups.com.
Philip Ochola
Jun 6, 2024, 7:44:23 AM6/6/24
to Lamya Imam, Wazuh | Mailing List
Hi Lamya
I did as above, still no logs show in Wazuh
Allowed IPs - have my local mikrotik IP address
Local IPs - have Wazuh IP
Local IPs - have Wazuh IP
Mikrotik settings as below
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CACUD3%2B3xkOhVWidk8ebrt1s_46NVkhRD4X3UjkoYgUz_9iVR%3DA%40mail.gmail.com.
Message has been deleted
Lamya Imam
Jun 7, 2024, 3:13:10 AM6/7/24
to Wazuh | Mailing List
Hi Philip,
For this, You can try the following steps:
Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation: Wazuh Documentation | logall
This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.log file.
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Look for if there are any logs inside the archive log which is relevant. Use grep parameters related to the log.
cat /var/ossec/logs/archives/archives.log | grep Keywoard
Test those logs using log-test to find out if logs are decoded by decodes and rules.
Check this document to get help with the logtest tool.
https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
Based on the findings of your logtest write custom decoders and rules.
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Let me know if you find anything. I will be waiting for your response!
For this, You can try the following steps:
Activate the 'logall' option within the manager's ossec.conf file, as outlined in our Documentation: Wazuh Documentation | logall
This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.log file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.log file.
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Look for if there are any logs inside the archive log which is relevant. Use grep parameters related to the log.
cat /var/ossec/logs/archives/archives.log | grep Keywoard
Test those logs using log-test to find out if logs are decoded by decodes and rules.
Check this document to get help with the logtest tool.
https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
Based on the findings of your logtest write custom decoders and rules.
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Let me know if you find anything. I will be waiting for your response!
Victor Andrade
May 22, 2025, 4:12:08 PMMay 22
to Wazuh | Mailing List
Hello Lamya.
How are you doing?
I have implemented all steps to get Mikrotik Logs but I can't still see them on the Dashboard.
I have already seen the logs into the archives.log and I made the decoder and rules, everything is ok.
How can I see them on Events page?
Thank you in advance.
Thank you in advance.
Victor
Reply all
Reply to author
Forward
0 new messages