zscaler logs from rsyslog server isn't dumping logs into the wazuh dashboard
94 views
Skip to first unread message
sahithi
Jun 10, 2024, 3:54:50 AM6/10/24
to Wazuh | Mailing List
Hey there,
so we have a rsyslog server which collects logs from the zscaler and stores them in a specific folder in csv format. we want those logs in wazuh however, the log aren't being pulled into wazuh.The only logs we could see are the server access logs. We need to see the ZPA logs instead. could you kindly help us for the same?
Regards,
Sahithi
Jose Luis Carreras Marin
Jun 10, 2024, 5:21:37 AM6/10/24
to Wazuh | Mailing List
Hello Sahithi
To collect those logs you have two options:
After that, you will need to check the default decoders and rules that Wazuh has, and if you need to, you can create your own custom ones:
To collect those logs you have two options:
- You can configure the Wazuh manager to also receive those logs directly from the rsyslog client. This way, you don't need to save them first. There is an old blog post explaining how to do this:
https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/ - Another option is to use the Wazuh logcollector module, which works by specifying a directory and takes care of collecting all incoming logs. Link to docu related:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/index.html
After that, you will need to check the default decoders and rules that Wazuh has, and if you need to, you can create your own custom ones:
Remember to check the Wazuh logs and send me any bugs you find.
I hope to help in any way I can. Tell me about any questions or problems you encounter.
I hope to help in any way I can. Tell me about any questions or problems you encounter.
Greetings
Jose
Reply all
Reply to author
Forward
0 new messages