Wazuh, log from router with Syslog
Bitemir Myrzash
Router huawei.
Thanks a lot
Md. Nazmur Sakib
allowed-ips = Huawei device IP
Ref: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
After changing the configuration, restart the Wazuh manager using the command
systemctl restart wazuh-manager
You can follow this to check if the logs are properly forwarded to Wazuh Manager.
You can enable the archive JSON format log from your manager's ossec.conf
<ossec_config>
<global>
___________________
<logall_json>yes</logall_json>
_______________
After making the changes, make sure to restart the manager.
Now, check the output of this command. Use a keyword related to your log.
cat /var/ossec/logs/archives/archives.json | grep Keyword_relatd to your log
or
cat /var/ossec/logs/archives/archives.json
If you are still not able to see any logs from your router in the archives log it means the issue is with network connectivity.
You can also forward the logs with Rsyslog.
From network devices to a syslog client (e.g. rsyslog in Ubuntu) and then to a file to be read by wazuh-agent/manager (logcollector).
Here are some links with example configurations for this case:
https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html
https://wazuh.com/blog/monitoring-network-devices/
I will suggest using the method with Rsyslog. It is always better to use Rsyslog rather than the syslog listener of the manager. Rsyslog is more scalable and reliable.
After forwarding the logs to the Wazuh manager, you might need to write decoders and rules to trigger alerts on the Dashboard.
Check this document to get help with the rules and decoders
https://documentation.wazuh.com/current/user-manual/ruleset/index.html
Let me know if you need any further assistance.