wazuh agent from the Syslog server not pulling logs to the manager
33 views
Skip to first unread message
sahithi
Jun 13, 2024, 4:09:04 AM6/13/24
to Wazuh | Mailing List
Hey there,
so we have a rsyslog server which collects logs from the zscaler and stores them in a specific folder in csv format. we want those logs in wazuh however, the log aren't being pulled into wazuh.The only logs we could see are the server access logs. We need to see the ZPA logs instead. could you kindly help us for the same?
I can also see that the traffic is open between both the servers .Also the analysisd process which is incharge of pulling logs form the agent is pulling different logs alltogether.
The log sample from Zscaler
2024-06-07T00:00:03.375203+00:00 Fri Jun 7 00:00:03 2024 User Activity zpa-lss: ,Softeon,WBxjU8TwGSuDIqeH7E1A,WBxjU8TwGSuDIqeH7E1A,accdi9AfJVPM4/RDp+n/,BRK_MT_SETUP_FAIL_SAML_EXPIRED,close,6,0, rando...@softeon.com,443,49.37.219.126,192.168.29.49,12.899600,80.220900,IN,AP-IN-2637,0,0,0,,0,kspuat.softeon.com,AWS-us-east-2-VPC1-KSP-AppAccess,AWS-us-east-2-VPC1-KSP-SegmentGroup,0,,443,0,0,2024-06-07T00:00:03.195Z,2024-06-07T00:00:03.195Z,,,,,,,,,,,,,0,0,0,0,0,0,0,0,Softeon Azure AD,0,Chennai,0,0
The logs that are being pulled into the archives/archives.json file
log":"2024-06-12T14:48:41.752291+00:00 ip-192-168-14-8 sshd[177267]: Connection closed by 192.168.11.164 port 38478","predecoder":{"program_name":"sshd","timestamp":"2024-06-12T14:48:41.752291+00:00"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.11.164","srcport":"38478"},"location":"/var/log/auth.log"}
{"timestamp":"2024-06-12T14:49:02.727+0000","agent":{"id":"000","name":"ip-192-168-14-8"},"manager":{"name":"ip-192-168-14-8"},"id":"1718203742.13284","full_log":"2024-06-12T14:49:01.310201+00:00 ip-192-168-14-8 sshd[177270]: Connection closed by 192.168.11.164 port 38528","predecoder":{"program_name":"sshd","timestamp":"2024-06-12T14:49:01.310201+00:00"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.11.164","srcport":"38528"},"location":"/var/log/auth.log"}
{"timestamp":"2024-06-12T14:49:22.743+0000","agent":{"id":"000","name":"ip-192-168-14-8"},"manager":{"name":"ip-192-168-14-8"},"id":"1718203762.13284","full_log":"2024-06-12T14:49:20.884042+00:00 ip-192-168-14-8 sshd[177272]: Connection closed by 192.168.11.164 port 38574","predecoder":{"program_name":"sshd","timestamp":"2024-06-12T14:49:20.884042+00:00"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.11.164","srcport":"38574"},"location":"/var/log/auth.log"}
{"timestamp":"2024-06-12T14:49:38.755+0000","agent":{"id":"000","name":"ip-192-168-14-8"},"manager":{"name":"ip-192-168-14-8"},"id":"1718203778.13284","full_log":"2024-06-12T14:49:38.422789+00:00 ip-192-168-14-8 sshd[177274]: Connection closed by 192.168.11.164 port 38630","predecoder":{"program_name":"sshd","timestamp":"2024-06-12T14:49:38.422789+00:00"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.11.164","srcport":"38630"},"location":"/var/log/auth.log"}
{"timestamp":"2024-06-12T14:49:58.773+0000","agent":{"id":"000","name":"ip-192-168-14-8"},"manager":{"name":"ip-192-168-14-8"},"id":"1718203798.13284","full_log":"2024-06-12T14:49:57.646783+00:00 ip-192-168-14-8 sshd[177275]: Connection closed by 192.168.11.164 port 38678","predecoder":{"program_name":"sshd","timestamp":"2024-06-12T14:49:57.646783+00:00"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.11.164","srcport":"38678"},"location":"/var/log/auth.log"}
{"timestamp":"2024-06-12T14:49:02.727+0000","agent":{"id":"000","name":"ip-192-168-14-8"},"manager":{"name":"ip-192-168-14-8"},"id":"1718203742.13284","full_log":"2024-06-12T14:49:01.310201+00:00 ip-192-168-14-8 sshd[177270]: Connection closed by 192.168.11.164 port 38528","predecoder":{"program_name":"sshd","timestamp":"2024-06-12T14:49:01.310201+00:00"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.11.164","srcport":"38528"},"location":"/var/log/auth.log"}
{"timestamp":"2024-06-12T14:49:22.743+0000","agent":{"id":"000","name":"ip-192-168-14-8"},"manager":{"name":"ip-192-168-14-8"},"id":"1718203762.13284","full_log":"2024-06-12T14:49:20.884042+00:00 ip-192-168-14-8 sshd[177272]: Connection closed by 192.168.11.164 port 38574","predecoder":{"program_name":"sshd","timestamp":"2024-06-12T14:49:20.884042+00:00"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.11.164","srcport":"38574"},"location":"/var/log/auth.log"}
{"timestamp":"2024-06-12T14:49:38.755+0000","agent":{"id":"000","name":"ip-192-168-14-8"},"manager":{"name":"ip-192-168-14-8"},"id":"1718203778.13284","full_log":"2024-06-12T14:49:38.422789+00:00 ip-192-168-14-8 sshd[177274]: Connection closed by 192.168.11.164 port 38630","predecoder":{"program_name":"sshd","timestamp":"2024-06-12T14:49:38.422789+00:00"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.11.164","srcport":"38630"},"location":"/var/log/auth.log"}
{"timestamp":"2024-06-12T14:49:58.773+0000","agent":{"id":"000","name":"ip-192-168-14-8"},"manager":{"name":"ip-192-168-14-8"},"id":"1718203798.13284","full_log":"2024-06-12T14:49:57.646783+00:00 ip-192-168-14-8 sshd[177275]: Connection closed by 192.168.11.164 port 38678","predecoder":{"program_name":"sshd","timestamp":"2024-06-12T14:49:57.646783+00:00"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.11.164","srcport":"38678"},"location":"/var/log/auth.log"}
Can anyone assist me with this issue please ? Thanks !!
Regards,
Sahithi
Farouk Musa
Jun 13, 2024, 7:30:54 AM6/13/24
to Wazuh | Mailing List
Hello
Sahithi,
I'll assist to have your issue resolved. First let me clarify that the logcollector module is responsible for collecting logs from sources, analysisd is only responsible for analyzing collected events against the defined rules.
To monitor your csv file, you need to instruct Wazuh to read those files using the logcollector module. Your config should look like the below
<localfile>
<log_format>syslog</log_format>
<location>/path/to/your/data.csv</location>
</localfile>
more options of the logcollector module can be found here
more options of the logcollector module can be found here
substitute /path/to/your/data.csv with the path to your csv file and add the config to your ossec.conf file and restart the Wazuh manager or agent, you should then start to see the logs in your archives file. Please note that you will need to create custom decoders and rules for the logs to be decoded and generate alerts.
Please let me know how if you have any issues.
Reply all
Reply to author
Forward
0 new messages