rsyslog and Wazuh
exe
Stuti Gupta
Hi
exeteste,
You need to configure rsyslog on the endpoint where the Wazuh agent is installed. The installation steps for the Wazuh agent are here:
https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html
To configure rsyslog, edit the file /etc/rsyslog.conf and add a rule to store logs from the SonicWall device into a specific file. For example:
if $fromhost-ip startswith '<REMOTE_DEVICE_IP>' then /var/log/<FILE_NAME>.log
& ~
You can refer to this documentation for syslog forwarding:
https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html
After rsyslog starts storing the SonicWall logs into a file, configure the Wazuh agent to monitor that file using a localfile entry in ossec.conf. For example:
<log_format>syslog</log_format>
<location>/path/to/sonicwall/logfile.log</location>
</localfile>
refer:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html
Update the configuration with your correct log path and format, then restart the agent.
Once this is done, check the agent log to confirm the file is being monitored:
If the file is being monitored, check the Wazuh dashboard to see if alerts appear.
If you do not see any alerts or events, enable archives logging to confirm whether logs are being received.
Documentation:
https://documentation.wazuh.com/current/user-manual/manager/event-logging.html
Note: enabling archives.json consumes disk space and is not recommended for production environments.
Let me know if you need any further help.