Wrong hostname with remoted syslog input
531 views
Skip to first unread message
Viktor Nguyen
Feb 23, 2021, 2:04:33 AM2/23/21
to Wazuh mailing list
Hi
My situation is :
- i send network devices syslog to the remoted syslog input of wazuh.
- wazuh can receive and understand the syslog message correctly.
- the predecoder.hostname field contains the hostname of network device correctly.
But the agent.name field is the name of wazuh manager
This will be problem when I'm managing multiple groups and alerts from each group will be sent to different email address. In my cases, the alerts from those network devices are belong to manager host only.
So, anyone know how to make syslog belong to correct host and host group?
Francisco Navarro
Feb 23, 2021, 8:41:46 AM2/23/21
to Wazuh mailing list
Hello
The fact is that the remote syslog event is not collected by any agent. For this reason, it is not possible to associate an agent with them and Wazuh includes those logs into the Wazuh manager ones.
If you're sending syslog events from hosts that already have a Wazuh agent installed you may prefer to redirect those logs to a local file in the host and analyze that file with Wazuh agent using localfile option. This way, the message would reach the manager through the agent and would be associated with the agent. Also, although the message would be in syslog format, it would be sent to the manager through a secure channel (encrypted) which is something interesting to have in mind.
If you need to associate syslog events from firewall, routes or other devices to certain Wazuh agents, you may need to redirect the logs to each agent (using a syslog server on each agent which need to receive logs) and then use localfile to forward them to the manager as I previously described. Otherwise, the logs received by Manager will be associated with it, although you could use the hostname or IP to filter them.
The fact is that the remote syslog event is not collected by any agent. For this reason, it is not possible to associate an agent with them and Wazuh includes those logs into the Wazuh manager ones.
If you're sending syslog events from hosts that already have a Wazuh agent installed you may prefer to redirect those logs to a local file in the host and analyze that file with Wazuh agent using localfile option. This way, the message would reach the manager through the agent and would be associated with the agent. Also, although the message would be in syslog format, it would be sent to the manager through a secure channel (encrypted) which is something interesting to have in mind.
If you need to associate syslog events from firewall, routes or other devices to certain Wazuh agents, you may need to redirect the logs to each agent (using a syslog server on each agent which need to receive logs) and then use localfile to forward them to the manager as I previously described. Otherwise, the logs received by Manager will be associated with it, although you could use the hostname or IP to filter them.
I hope this clarifies everything. If you have any doubt please do not hesitate to ask.
Best regards.
Reply all
Reply to author
Forward
0 new messages