Wazuh not generating alerts from remote syslog

[Cézar]

Hi everyone,

I have a problem with setting up the remote syslog connection settings, I have a fortigate sending messaged to wazuh and I set it up as documented here:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html

However the wazuh is not generating any alerts, I used tcpdump to check if the messages from fortigate are arriving.

I have also set up some decoders for the messages in question, and I have tested it with the wazuh log test tool, as shown in the image attached.

I have also tested the alert by setting a <localfile> scan and sending the message with echo, this way wazuh generates the alert perfectly!

I am not sure why wazuh is not able to generate the alert by setting up the remote configuration, here is how I set it up for reference:

  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>fortigate ip</allowed-ips>
    <local_ip>wazuh ip</local_ip>
  </remote>

Any leads what I am doing wrong?

Thanks in advance

[Ariel Ivan Ojeda]

Hi Cezar,

I hope you are well today and thank you for using the Wazuh community!

Regarding your issue, you mention you have verified and Wazuh seems to be receiving the logs based on your message. Have you ensured the configuration on the Fortigate side matches what you set in the Wazuh Manager? TCP/UDP and port more specifically.

On the other hand, let’s see if the logs are in fact being received and processed by Wazuh:

We can use an option in the Wazuh manager configuration file to do this (#ossec.conf). More information here: logall-json

By default, the manager only writes alerts to the alerts.json file, but if an event does not trigger an alert, it will be discarded. With the logall_json option, we will tell it to write every event it receives to the archives.json file, even if it did not generate an alert. This way we can be sure that the events are in fact reaching the Manager and work from there.

You can use the Wazuh interface to turn on the archives option. Please go to Wazuh->Management->Configuration and click on Edit configuration. Make the change as illustrated below and click Save and then Restart Manager for the changes to take effect.

 

After this, you can grep the file  to make sure the events are written:

grep Fortigate /var/ossec/logs/archives/archives.json

Please let me know your Wazuh manager's version, you can execute this binary to get this:

/var/ossec/bin/wazuh-control info

Please don’t forget to turn off the logall_json option as it will use more disk space.

Best regards,

Ariel Ojeda.

[Cézar]

Thanks for the answer Ariel,

I forgot to mention, but I had already tried looking the archives log by enabling the logall option and indeed it is not registering any entry about the fortigate.

To validate that the messages are arriving at the port 514 in udp I used the following command:

tcpdump -i any port 514 -AA

I am no expert at tcpdump, but I think the syntax is correct, and I see a lot of messages arriving. Another thing I noticed is that the port 514 only opens when I have set the remote configuration on the ossec.conf, so I think the configuration in wazuh is correct.

Regarding the app version, I am using the following version:

App version: 4.2.5

App revision: 4206-1

When I execute the binary you instructed I got the following output though:

WAZUH_VERSION="v4.2.5"
WAZUH_REVISION="40220"
WAZUH_TYPE="server"

Best regards,

Cézar

[Ariel Ivan Ojeda]

Hi Cezar,

If you turned on archives and cannot see the logs there, it means the Wazuh manager is not receiving them, otherwise, you should see the logs there. I sent you the grep command using the device name from the log you shared, if this device is sending logs and they are reaching the Wazuh manager, the grep should work.

Try this for TCPDUMP in the Wazuh manager, please replace DEVICE-IP with the Fortigate IP.

tcpdump -s 0 -i any host DEVICE-IP and udp port 514
tcpdump -s 0 -i any host DEVICE-IP and tcp port 514

Also, please confirm you have set up the device to send the information using the same protocol and port used in the Wazuh manager’s configuration. I.E: when I tried this, my router didn’t let me send using UDP so I had to change the configuration to TCP in the Wazuh manager. The last version also allows to used both UDP and TCP.

Protocol options

I hope this helps!

Best regards,

Ariel Ojeda.

​

[Cézar]

Hello Ariel, thanks again for the answer.

I have tried the following tcpdumps command you had described and I do not see any messagers coming from the fortigate IP, however I do see messages arriving at the port 514 through the other command I described:

tcpdump -i any port 514 -AA

I also validated that the fortigate is setting to port udp 514, and wazuh is configured to receive udp on 514. However since no messages are shown from the device IP in question, I am thinking this might be the issue, any suggestion how I can troubleshoot this issue?

Yours faithfully,

Cézar

[Cézar]

Just an update, I have set allowed ips to 0.0.0.0/0 and it worked, it was indeed a problem with the device ip. Not sure why it changes when it arrives though, anyway, thanks for all the help.

[Ariel Ivan Ojeda]

Hi Cézar,

Thank you for the update and I am happy it is working for you now!

I would advise you to change the value of the allowed IPs field since the way it is set up now allows connections from any IP. Ideally, it should be the specific IP of the device, but since you mention this changes, I would at least specify the network address as explained here:

Allowed IPs values

I hope this helps,

Best regards,

Ariel.