Syslogs from cisco firewall - any configuration on wazuh needed?

[SEC]

Hello,

Ive configured my cisco firewalls syslog server to be the Wazuh.

Do i have to do any additional configuration on any Wazuh component in order for it to handle the logs from the firewall?

thanks a lot!

[Luis González Romero]

Hello, hope you’re doing great, and thanks for using Wazuh.

After configuring your network device(cisco firewall) for sending the events to Wazuh, you must configure Wazuh(manager) to accept events from a network device.

If you want to integrate your device network through syslog, you can add this configuration block within your ossec.conf:

<ossec_config>
  <remote>
    <connection>syslog</connection>
    <port>513</port>
    <protocol>tcp</protocol>
    <allowed-ips>192.168.2.0/24</allowed-ips>
  </remote>
</ossec_config>

• allowed-ips can be both a range or individual IPs.

Then, restart the manager:

$ /var/ossec/bin/wazuh-control restart

More info here. Also, here you have a use case blog with the process.

Finally, after adding the configuration you should be able to see the events in your dashboard.

Do not hesitate and ask us if you have any doubts or something else!

Hope this helps you,
Luis.

​

[SEC]

Awesome, thanks a lot :)