Problems collecting events via syslog

[Daniel Hinojo]

Hello, everyone. I have a problem with the collection of logs through syslog, I have done the following configuration and validation but even so I do not receive events from the computers that have the syslog configured, please could you help me? I will detail the steps I have carried out below: 

 1.- Add the following configuration to ossec.conf 

<remote> 

 <connection>syslog</connection> 

 <port>514</port> 

 <protocol>udp</protocol> 

 <allowed-ips>xx.xx.x.0/24</allowed-ips>

 <allowed-ips>xx.xx.xx.x</allowed-ips> 

 </remote> 

 2. Validate that udp port 514 is open on the server and add an exception to the firewall. 

 3.- From the wazuh web dashboard I don't see syslog type events, I did send tests but the wazuh server doesn't receive them.

I have the latest version of wazuh 4.3 installed.

Thanks

[Mauricio Ruben Santillan]

Hello Daniel,

First of all, make sure you added a remote module to your Wazuh server configuration instead of editing the already existing one (the default one is for agent connectivity).

Then, in order to check if you're actually receiving syslog traffic into your Wazuh server, you can run a tcpdump command from your Wazuh server's command line like next one:

tcpdump -s 0 -A host <SRCIPADDRHERE> and udp port 514

Just make sure to replace  <SRCIPADDRHERE> with the actual source IP address.

In case there's no traffic reaching your manager, this command would stay like this:

root@server:/home/user# tcpdump -s 0 -A host 192.168.1.1 and udp port 514
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

In this case, you should check network connectivity / firewall configurations between your devices and the Wazuh server.

Now, if you're actually receiving syslog traffic, then you should see lots of data populating your screen. For example:

root@server:/home/user# tcpdump -s 0 -A host 192.168.1.5 and udp port 514
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp2s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:33:35.898101 IP 192.168.1.5.57255 > server.syslog: SYSLOG user.notice, length: 106
E....\@.?..Q.......c.....r.c<13>1 2023-01-28T13:33:36.513281-03:00 PROBOOK root - - [timeQuality tzKnown="1" isSynced="0"] testing
13:33:40.085865 IP 192.168.1.5.57238 > server.syslog: SYSLOG user.notice, length: 106
E.....@.?..........c.....r._<13>1 2023-01-28T13:33:40.698629-03:00 PROBOOK root - - [timeQuality tzKnown="1" isSynced="0"] testing
13:33:40.947057 IP 192.168.1.5.57194 > server.syslog: SYSLOG user.notice, length: 106
E....0@.?..}.......c.j...r..<13>1 2023-01-28T13:33:41.562493-03:00 PROBOOK root - - [timeQuality tzKnown="1" isSynced="0"] testing
13:33:41.353253 IP 192.168.1.5.57239 > server.syslog: SYSLOG user.notice, length: 106
E....L@.?..a.......c.....r.j<13>1 2023-01-28T13:33:41.969016-03:00 PROBOOK root - - [timeQuality tzKnown="1" isSynced="0"] testing

In this case, most probably you would be missing some custom decoders and/or rules for you events.

You can confirm this by enabling logall_json in your Wazuh manager /var/ossec/etc/ossec.conf file. By setting this option to yes and after restarting your wazuh-manager service, your Wazuh server will start saving every single event it receives into its /var/ossec/logs/archives/archives.json. Even if your events don't trigger a rule. You could search for your incoming events there.

In case you find some events there, and if you could provide me with some samples, I can help you get started with decoders and rules.

Let me know how it goes!

[Daniel Hinojo]

Good afternoon, thanks for the support, now I can receive the logs sent by syslog, but now I have another question, is there a way to see all the logs that are collected by syslogs in the wazuh dashabord?

 I consult this because I see that it only shows me some logs that I think wazuh identifies, so I would like to know if there is any other way to see all the logs that are generated by each hostname through syslog. 

 Possibly creating a new index to later view it through opensearch Thanks for the support

[Mauricio Ruben Santillan]

Hello Daniel,

You can enable logall_json on your Wazuh Manager for this matter. Enabling this option will make your Wazuh Manager to save every single event it receives into its file /var/ossec/logs/archives/archives.json, even if your events don't trigger a rule. By checking this file, you'll be able to see all the events coming from your agents and create decoders and/rules for them.

I hope this helps. Let me know how it goes!

[Daniel Hinojo]

Thanks, but if you want to see all those logs through a wazuh dashboard or see it from opensearch, how can I do it?

[Mauricio Ruben Santillan]

Hello Daniel,

There's an issue here that explains how to do it (and proposes to add this to our Documentation).

Let me know how it goes.

[Daniel Hinojo]

Thanks for your prompt response, would this apply to wazuh 4.3?

[Daniel Hinojo]

I just tried it and it worked thanks for the help.

Now I have a concern. I understand that since it now collects all the information, it may take up a lot of space. I understand that at the index level I can apply a policy so that it is debugged from time to time, but at the linux level I would also have to do something similar for it to be debugged every 30 or 40 days the files generated by /var/ossec/logs/archives/archives.json?
How could I do it?

[Mauricio Ruben Santillan]

You can add a cronjob to your Wazuh server so it deletes old files from the Wazuh alerts/archives directories.

A cronjob like next one would delete data from these directories when it's older than 365 days:

0 0 * * * find /var/ossec/logs/alerts/ -type f -mtime +365 -exec rm -f {} ;
0 0 * * * find /var/ossec/logs/archives/ -type f -mtime +365 -exec rm -f {} ;

Run crontab -e, then add them.

I hope this helps.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cfe2ec95-5fa2-4425-b0b7-21a6f38f5837n%40googlegroups.com.

--

Mauricio Santillan IT Security Engineer - Support DRI The Open Source Security Platform

[Daniel Hinojo]

Thanks for the help,
Should the number of crontab days be consistent with the number of days of deletion or freezing that I have in Index policies?

[Mauricio Ruben Santillan]

Hi Daniel,

You can set any value to the crontab. It is up to you. Have in mind that such data is useful to restore Wazuh alerts using this method. So you should consider this when setting that up.

Also, you might want to change the delete command with a command to move your files somewhere else.

I hope this helps.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/aac71bac-a683-41c7-90d5-a661aae86afdn%40googlegroups.com.