Wazuh server can collect logs via Syslog. This would entail adding a block similar to the following to your ossec.conf file: <remote> <connection>syslog</connection> <port>514</port> <protocol>tcp</protocol> <allowed-ips>192.168.2.15/24</allowed-ips> <local_ip>192.168.2.10</local_ip> </remote>
You can choose from these methods as per your needs.
Now check if those logs from the devices are properly forwarded to Wazuh. For this, You can try the following steps: To enable archives.json log, set the <logall_json>yes</logall_json> to yes at /var/ossec/etc/ossec.conf file of the Wazuh manager. Documentation:Wazuh Documentation | logall
This option will allow you to see all the events being monitored by your manager in the /var/ossec/logs/archives/archives.json file. You will then be able to observe the incoming log generated by your endpoint. After setting this option, restart the manager and check the archives.json file. Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Look for if there are any logs inside the archive log which is relevant. Use grep parameters related to the log. # cat /var/ossec/logs/archives/archives.json | grep Keyword
Test those logs using log-test to find out if logs are decoded by decoders and rules.