Sysmon logs for Linux endpoints

457 views
Skip to first unread message

Usman Ali

unread,
Jun 27, 2022, 7:56:07 AM6/27/22
to Wazuh mailing list
Hi Friends,
                  I want to know is it helpful to get sysmon/rsyslog from Linux OS .

If we want to do so how can we collect in wazuh

If we successfully collect the logs , where will we it displays on wazuh web application (any filter or specific location on wazuh dashboard)

Thanks

Gonzalo Acuña

unread,
Jun 27, 2022, 10:59:26 AM6/27/22
to Wazuh mailing list
Hi.
What Wazuh version are you using?

Yes, Rsyslog is helpful when you can not install the Wazuh agent and Sysmon is useful to extend the monitoring.

For Rsyslog you will need to configure Wazuh manager to receive event logs through syslog:
- https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html
e.g.:
<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>tcp</protocol>
  <allowed-ips>192.168.1.0/24</allowed-ips>
  <local_ip>192.168.1.5</local_ip>
</remote>



For Sysmon here is a guide:
https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
To filter sysmon events you can use:
rule.groups: sysmon

Regarding syslog, it will depend on the associated rules.

Reply all
Reply to author
Forward
0 new messages