Forwading Synology NAS log to Wazuh

[russell premium]

Hi all, I am just wondering, if my Synology NAS has its own file activity log system, would it be possible to send it over Wazuh over a port ?

[hasitha.u...@wazuh.com]

Hi russell,

I can suggest two options to integrate Synology NAS logs with Wazuh.
First one is you can config the Wazuh manager /var/ossec/etc/ossec.conf file to listen the forwarded events from Synology NAS.
To do that you can add this code block to ossec.conf file.

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>tcp</protocol>
  <allowed-ips>192.168.2.15/24</allowed-ips>
  <local_ip>192.168.2.10</local_ip>
</remote>

Kindly note that the allowed-ips label is mandatory. The configuration will not take effect without it.
For more details about above code tags you can follow this.
Ref: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html#configuring-syslog-on-the-wazuh-server
Once you are configured you can restart the manager.
systemctl restart wazuh-manager

Second way is you can send Synology NAS logs to the endpoint and you can collect logs using wazuh agent.
Configure rsyslog to receive syslog events and enable the TCP or UDP settings by editing the `/etc/rsyslog.conf
For TCP:
$ModLoad imtcp
$InputTCPServerRun <PORT>

For UDP:
$ModLoad imudp
$UDPServerRun <PORT>

Make sure to review your firewall/SELinux configuration to allow this communication
Configure rsyslog to forward events to a file by editing the /etc/rsyslog.conf file.
# Storing Messages from a Remote System into a specific File
if $fromhost-ip startswith 'REMOTE_DEVICE_IP' then /var/log/<FILE_NAME.log>
& ~
To perform the following steps, make sure to replace <FILE_NAME.log> with the name chosen for this log.
Deploy a Wazuh agent on the same endpoint with rsyslog installed.
https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html
Configure the agent to read the syslog output file by editing the /var/ossec/etc/ossec.conf file.
<localfile>
<log_format>syslog</log_format>
<location>/var/log/<FILE_NAME.log></location>
</localfile>

Run the commands below to restart rsyslog and the Wazuh agent:
systemctl restart rsyslog
systemctl restart wazuh-agent

Finally, you need to create custom decoders and rules to capture the logs.
Refer these documents have proper idea on how to do them.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Let me know if the helps.

Regards,
Hasitha Upekshitha

[russell premium]

okay, thank you for your answer, will try it now

[Tsepo Maroibaki]

Hi Resitha, what if I have a syslog sever with multiple files withing multiple folders such as /var/log/Rn

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/33cd5ea6-35fc-4d69-a733-f6928948b7b4n%40googlegroups.com.

[hasitha.u...@wazuh.com]

Hi Tsepo,

I would suggest you to please create a new post in the community channel with details about the new query. This will help us to provide more focused support on the issue that you are facing.

Regards,
Hasitha Upekshitha