Remote syslog issue
USHA GIRI
Jonathan Martín Valera
Hi,
Ok, let’s see what might be going on.
Check if you have correctly configured event logging
As you mentioned, you are looking in the /var/ossec/logs/archives/archives.json file for the events sent from the cisco switch to check if the wazuh-manager is receiving the information or not.
I would like to point out that in this file the wazuh-manager effectively stores all the received events, but by default said storage is disabled. In order for all events received to be stored in that file, it is necessary to edit the following directive in the /var/ossec/etc/ossec.conf file and set it to yes:
<logall_json>yes</logall_json>
To apply these changes, it is necessary to restart the wazuh-manager
systemctl restart wazuh-manager
From now on you should see all the events received by the wazuh-manager and look for the ones related to the cisco switch to check if the communication is correct or not.
Check the wazuh-manager configuration for remote syslog
If you already had this configuration applied, then let’s check if your wazuh-manager configuration to receive events via remote syslog is correct.
First of all, I will refer you to the documentation https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog.
Basically, it consists of adding a new block like the following one under the other <remote> block already existing in the ossec.conf file of the wazuh-manager.
<remote>
<connection>syslog</connection>
<port>513</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.0/24</allowed-ips>
</remote>
As you can see, it is necessary to indicate the port, protocol and the range of ips that you are going to accept to receive events. Check that your configuration is correct (you are sending events through the same port and protocol specified here, as well as verifying if your IP is allowed or not).
Check if there is a connection between the cisco switch and the wazuh-manager for the specified port and protocol
A common problem that often occurs is that there may be a firewall blocking communication through that port and protocol, so make sure this does not happen.
A quick test you can do, if you are using TCP is to check the connection using the telnet command. For example for the above case it would be as follows:
telnet <wazuh_manager_ip> <remote_syslog_port>
If you are connected, you should see something like the following:
$ telnet 172.16.1.100 513
Trying 172.16.1.100...
Connected to 172.16.1.100.
Escape character is '^]'
Note: In my case the
wazuh-managerIP is 172.16.1.100 and port 513/TCP.
Please review them and verify all of the mentioned above:
- Check if you have correctly configured event logging.
- Check the
wazuh-managerconfiguration for remote syslog. - Check if there is a connection between the cisco switch and the
wazuh-managerfor the specified port and protocol. - Check if your cisco switch is configured correctly to send the desired events on the specified port and protocol, and to the IP of the
wazuh-manager.
and share the results obtained for each case.
I hope you find this information helpful.
Best regards.
USHA GIRI
and this is the warning message
Jonathan Martín Valera
Hi,
According to your comments, you have configured the remote syslog block in the wazuh-manager to use 513/UDP. In this case, the telnet command will not work because it is not TCP.
I guess you have configured the cisco switch to send the events to the wazuh-manager IP on port 513/UDP right? (1).
Regarding the Warning message you show, it is probably produced because the wazuh-manager is receiving some message from a not allowed IP address.
With reference to
I discovered that the cisco switch logs were received from different ip, I have the logs in archieves.json from different ip, but it is not shown in the dashboard
do you mean that you had the wrong IP address, you have corrected it and the cisco switch events are already shown in the archives.json file? (2)
Regarding the fact that they do not appear on the dashboard, I will explain the following:
The wazuh-agent or devices through remote syslog send events(logs) to the wazuh-manager, which processes them through its ruleset and decides if it has to generate an alert.
If yes, then that alert is stored in the
/var/ossec/logs/alerts/alerts.jsonfile. This alert will be sent toElasticsearchthroughFilebeatand finally, it will be indexed in the corresponding index ofwazuh-alerts-*to be displayed inKibana.If no, then that event has no impact and nothing is done with it, beyond storing it in the file
/var/ossec/logs/archives/archives.(json|log)in case you have logging enabled.
By all this, I mean that in Kibana you will see the alerts, and in your case, these events sent by the cisco switch may not be generating alerts and that is why you do not see anything in the dashboard.
What you have to do is to see what events the wazuh-manager is receiving and create the corresponding decoders and rules to create your own alert use cases.
I am passing you a reference to the documentation so that you can see related information:
- Custom rules and decoders: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- Testing decoders and rules: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
- Creating decoders and rules from scratch: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
I hope this information is helpful.
If you have any questions related to this topic, please answer questions (1) and (2) and provide as much information as possible so that I can help you.
Best regards.
USHA GIRI
Jonathan Martín Valera
Ok, so if you already have the events in the archives.json, now you have to test if for the logs you are receiving there are already existing decoders and rules that fit your use case, and if not you will have to create them following the indications of the references I shared with you.
If you have any doubts about this, you can ask for help, sharing the event and the use case with which you want to generate the alert.
Best regards.