Is Installing A Syslog Server In The Same Host As Wazuh Manager Work Out??

[Funto Oladipupo]

I am planning to capture fortigate firewall logs from my company's on-premises datacenters. I reached out to my seniors for a vm creation so I could host a syslog server on it but was told to deploy it in the vm wazuh manager is already sitting on?
Is it advisable to install a syslog server such as rsyslog in the same azure ubuntu vm wazuh manager is sitting on? The idea is to use 2 network interfaces, one for wazuh and the other for syslog so as to collect firewall logs to the syslog server, then to wazuh.

Is this feasible, and if not why please?

[Javier Castro]

Hello, 

there shouldn't be an issue with this as long as the Wazuh server has enough CPU and RAM to handle both components.

The only caveat I can anticipate is related to load balancing. If you have a Wazuh manager cluster and you want to balance your syslog traffic across the cluster, it's best to use a separate server for rsyslog and make sure that you send the information to a NLB that balances the load between your Wazuh managers.

Similar to this architecture, one of the agents would be sending the syslog traffic (based on the output of a local rsyslog):

If you don't use a Wazuh manager cluster then there's nothing to worry about in this regard.

Hope that helps!

[Funto Oladipupo]

Thank you so much for the clarification and sorry about my late reply. Network interface has been setup and I'll work on it.

My wazuh manager isn't a cluster and should work as you explained I hope. Will let you know how it goes. I truly appreciate.