changing syslog from secure in remote section of ossec.conf file causes wazuh-manager to exit with error

[Vijay]

Hi new to the group and wazuh

able to setup wazuh at home lab running on proxmox ubuntu 22.04

have opnsense also in same lan

trying to send opnsense syslog to wazuh

as per documentation modified ossec.conf file

<protocol>syslog</protocol>

(changed from secure to syslog)

after saving

systemctl restart wazuh-manager gives error exit code

could not find option in OPNSENSE to send secure syslog message

thanks in advance

Regards,

vijay

[Julio Gasco]

Hi Vijay,

Thanks for using our community!

The documentation you are referring to is the following one I assume:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html#protocol

The protocol section can be either tcp or udp and defines the protocol used
The option of secure or syslog is defined on the tag

That is why if you are setting syslog you will get an error. As it is not an expected value.

You can check the following link with details to ingest remote syslog implementation:
https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/

An example remote section would look like this:

<remote>

    <connection>syslog</connection>

    <port>514</port>

    <protocol>udp</protocol>

    <allowed-ips>10.0.0.0/24</allowed-ips>

    <local_ip>10.0.0.1</local_ip>

</remote>

Let me know if this helps

Regards!

​

[Vijay]

Hi Julio,

Thank you for the quick response

when i change this line

<connection>syslog</connection>  from secure to syslog, i get error on wazuh-manager restart -  exit error

Regards,

vijay