Send CISCO switch logs to wazuh
206 views
Skip to first unread message
Massimiliano De Falco
Dec 23, 2024, 6:17:03 AM12/23/24
to Wazuh | Mailing List
Good morning,
I have various CISCO switch C9200 serie and my idea is send the logs of this switchs to the wazuh syslog server.
I have various CISCO switch C9200 serie and my idea is send the logs of this switchs to the wazuh syslog server.
Can you help me to configure the switch to do this?
Thanks.
hasitha.u...@wazuh.com
Dec 23, 2024, 7:25:05 AM12/23/24
to Wazuh | Mailing List
Hi Massimiliano,
I believe these links related to CISCO will help you to configure syslog.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-12/configuration_guide/sys_mgmt/b_1612_sys_mgmt_9200_cg/configuring_system_message_logs.html
https://community.cisco.com/t5/network-management/setup-c9200-logging-to-syslog-server-to-a-single-log-file/td-p/5221788
To capture syslog from Wazuh side you can configure Wazuh syslog listener.
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
Alternatively, you can install the agent on the endpoint and collect logs using rsyslog and specify the path in agent ossec.conf.
Agent install: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html
Rsyslog configuration: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
You have to modify the location and the log_format as your config. this configuration you need to add the monitored wazuh-agent's ossec.conf
nano /var/ossec/etc/ossec.conf
<localfile>
<location>/<FILE_PATH>/file.log</location>
<log_format>syslog</log_format>
</localfile>
Then restart the agent
systemctl restart wazuh-agent
For more details you can reffer: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html#configuration-for-monitoring-log-files
Once you configured log collection, you can test your logs are decoding and applying default rules by using wazuh-logtest.
/var/ossec/bin/wazuh-logtest
You only need to copy your log paste there after executing the above command.
If any decoder rules not applied you need to create custom decoders and rules.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Let me know if this helps.
Regards,
Hasitha Upekshitha
I believe these links related to CISCO will help you to configure syslog.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-12/configuration_guide/sys_mgmt/b_1612_sys_mgmt_9200_cg/configuring_system_message_logs.html
https://community.cisco.com/t5/network-management/setup-c9200-logging-to-syslog-server-to-a-single-log-file/td-p/5221788
To capture syslog from Wazuh side you can configure Wazuh syslog listener.
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
Alternatively, you can install the agent on the endpoint and collect logs using rsyslog and specify the path in agent ossec.conf.
Agent install: https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html
Rsyslog configuration: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux
You have to modify the location and the log_format as your config. this configuration you need to add the monitored wazuh-agent's ossec.conf
nano /var/ossec/etc/ossec.conf
<localfile>
<location>/<FILE_PATH>/file.log</location>
<log_format>syslog</log_format>
</localfile>
Then restart the agent
systemctl restart wazuh-agent
For more details you can reffer: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html#configuration-for-monitoring-log-files
Once you configured log collection, you can test your logs are decoding and applying default rules by using wazuh-logtest.
/var/ossec/bin/wazuh-logtest
You only need to copy your log paste there after executing the above command.
If any decoder rules not applied you need to create custom decoders and rules.
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#custom-rules
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Let me know if this helps.
Regards,
Hasitha Upekshitha
Massimiliano De Falco
Dec 23, 2024, 8:13:49 AM12/23/24
to Wazuh | Mailing List
Thanks
Hasitha for your answer. In wazuh v.4.9.1 GUI where can I view the results? Where is showed the logs switch?
hasitha.u...@wazuh.com
Dec 24, 2024, 6:12:31 AM12/24/24
to Wazuh | Mailing List
Hi
Massimiliano,
You can navigate to Explore under Menu and select Discover tab to see all alerts.
If you collect from Wazuh agents you can check from the Threat hunting tab under Threat Intelligence.
In your case, you can check from the Discover tab.
To learn more about menu bar tools and tabs you can follow this.
https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/navigating-the-wazuh-dashboard.html
Let me know the update on this.
You can navigate to Explore under Menu and select Discover tab to see all alerts.
If you collect from Wazuh agents you can check from the Threat hunting tab under Threat Intelligence.
In your case, you can check from the Discover tab.
To learn more about menu bar tools and tabs you can follow this.
https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/navigating-the-wazuh-dashboard.html
Let me know the update on this.
Reply all
Reply to author
Forward
0 new messages