Sysmon logs for Linux endpoints
457 views
Skip to first unread message
Usman Ali
Jun 27, 2022, 7:56:07 AM6/27/22
to Wazuh mailing list
Hi Friends,
I want to know is it helpful to get sysmon/rsyslog from Linux OS .
If we want to do so how can we collect in wazuh
If we successfully collect the logs , where will we it displays on wazuh web application (any filter or specific location on wazuh dashboard)
Thanks
Gonzalo Acuña
Jun 27, 2022, 10:59:26 AM6/27/22
to Wazuh mailing list
Hi.
What Wazuh version are you using?
Yes, Rsyslog is helpful when you can not install the Wazuh agent and Sysmon is useful to extend the monitoring.
For Rsyslog you will need to configure Wazuh manager to receive event logs through syslog:
- https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html
e.g.:
What Wazuh version are you using?
Yes, Rsyslog is helpful when you can not install the Wazuh agent and Sysmon is useful to extend the monitoring.
For Rsyslog you will need to configure Wazuh manager to receive event logs through syslog:
- https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html
e.g.:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.1.0/24</allowed-ips>
<local_ip>192.168.1.5</local_ip>
</remote>
For Sysmon here is a guide:
https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
To filter sysmon events you can use:
rule.groups: sysmon
Regarding syslog, it will depend on the associated rules.
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.1.0/24</allowed-ips>
<local_ip>192.168.1.5</local_ip>
</remote>
For Sysmon here is a guide:
https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
To filter sysmon events you can use:
rule.groups: sysmon
Regarding syslog, it will depend on the associated rules.
Reply all
Reply to author
Forward
0 new messages