capture switch logs

[Pritam Mirikar]

Hi team,
Here’s our setup:

• Host: Windows system with a VM installed.
• Guest VM: Ubuntu 22.04 running Wazuh server.

Currently, we are able to see agent logs and firewall logs in Wazuh.
However, we cannot see network switch logs in Wazuh.

Could you confirm if our setup and process are correct, or if we’re missing any steps to capture switch logs?

[Olamilekan Abdullateef Ajani]

Hello Pritam,

Your setup looks good, you already confirmed that with the logs you see from the firewall and agent. The question though is, how did you integrate the switch with Wazuh? syslog directly to the Wazuh server or via 3rd party or rsyslog?

Next would be for you to check the archives in case your logs are there and maybe it's only lacking decoding. Because Wazuh may be able to ingest your logs, but the logs might not match any out-of-the-box decoder, so you may need to write decoders and rules for them.

What brand of switch are we talking about too?

You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
  <global>
    <logall>yes</logall>
    <logall_json>yes</logall_json>
  </global>
</ossec_config>
Then restart the Wazuh-manager.
systemctl restart wazuh-manager

cat /var/ossec/logs/archives/archives.json | grep -i -E "part of your log"
Verify that you have the logs, then disable archiving by setting the values to no.

If you find your logs, you may need to write custom decoders and rules, please use the documentation below. You can also share sample logs if you need assistance writing the decoders.
Ref:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.html
https://documentation.wazuh.com/current/user-manual/ruleset/testing.html

[Pritam Mirikar]

Hi  Olamilekan,

when we are try to check logs its showing like below,

root@test:/home/vboxuser# sudo cat /var/ossec/logs/archives/archives.json | grep " 10.198.1.80 "
root@test:/home/vboxuser# tcpdump -i any src host 10.198.1.80 and dst port 514
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
12:24:54.795686 enp0s3 In  IP 10.198.1.80.syslog > test.syslog: SYSLOG local7.info, length: 124
12:27:51.889766 enp0s3 In  IP 10.198.1.80.syslog > test.syslog: SYSLOG local7.info, length: 122
12:27:54.019603 enp0s3 In  IP 10.198.1.80.syslog > test.syslog: SYSLOG local7.notice, length: 66

can you please give me decoder and log forwarder for this its help me lot.

Thanks,

[Olamilekan Abdullateef Ajani]

Dear Pritam,

Could you maybe try another keyword that may exist in the switch log? It may seem as though the filter did not match anything and, as such, did not return any log.

What you shared is the syslog information, which shows that packets are being received from 10.198.1.80 to test.syslog server. 

Did you enable archive as mentioned in the previous response? 

You can also try and run the command cat /var/ossec/logs/archives/archives.json directly and look through the logs to see if you can identify the switch logs.

Please let me know what you find.