Cisco Switch | Syslog | Configuration
529 views
Skip to first unread message
John Carry
Dec 24, 2022, 11:48:16 PM12/24/22
to Wazuh mailing list
Hello Wazuh Team,
I am planning to integrate cisco switch with wazuh via syslog, while referring older cases here found out that few configurations need to performed at network device (Cisco Switch) end. Please refer the link below and confirm the highlighted configuration (Red Boxed) needs to be done at switch end , is it mandatory to configure it ? it yes then please confirm what these configuration will do.
Further Also confirm, till todays date are there known cases where wazuh users have successfully integrated network devices to wazuh via syslog especially cisco switch?
Link:
Julián Morales
Dec 25, 2022, 7:36:05 PM12/25/22
to Wazuh mailing list
Hi John,
Our ruleset is constantly evolving, and expanding the coverage from version to version. Currently you could see our cisco IOS ruleset by doing a search in github-> https://github.com/wazuh/wazuh/search?q=cisco (Within the issues section you will find the proposed improvements.)
Many users use cisco devices with Wauzh, they even send the logs directly to Wazuh Manager without going through RSyslog.
I hope you find this useful
Regards, Julian
Our ruleset is constantly evolving, and expanding the coverage from version to version. Currently you could see our cisco IOS ruleset by doing a search in github-> https://github.com/wazuh/wazuh/search?q=cisco (Within the issues section you will find the proposed improvements.)
Many users use cisco devices with Wauzh, they even send the logs directly to Wazuh Manager without going through RSyslog.
I hope you find this useful
Regards, Julian
John Carry
Dec 25, 2022, 11:47:00 PM12/25/22
to Wazuh mailing list
Thanks Jilian for your response, further I think you haven't respond to the first question I have raised regarding the red-boxed configuration requirements? is that configuration needs to be done at cisco device end ? if yes then what's the purpose of that configuration is ?
Regards,
John
Julián Morales
Dec 26, 2022, 9:28:15 AM12/26/22
to John Carry, Wazuh mailing list
Hi Jhon, it is not necessary to use that configuration for Cisco devices.
This Rsyslog configuration you share with us is for the rsyslog daemon to monitor a file on the system, read line by line and adapt or generate a log in syslog format for each line read before sending it.
There is a typical use case for this, suppose you have a server to which you do not want to install a wazuh agent, since you only want to monitor the logs of an application. Also suppose that this application generates logs that do not correspond to the syslogs format and it is difficult to create a decoder that identifies these logs. Then with that rsyslog module you could "append" a syslogs header so that those logs are easily recognized by a custom decoder.
You can find more information about this rsyslog configuration here: https://www.rsyslog.com/doc/v5-stable/configuration/modules/imfile.html
I hope this has answered your question.
Regards,This Rsyslog configuration you share with us is for the rsyslog daemon to monitor a file on the system, read line by line and adapt or generate a log in syslog format for each line read before sending it.
There is a typical use case for this, suppose you have a server to which you do not want to install a wazuh agent, since you only want to monitor the logs of an application. Also suppose that this application generates logs that do not correspond to the syslogs format and it is difficult to create a decoder that identifies these logs. Then with that rsyslog module you could "append" a syslogs header so that those logs are easily recognized by a custom decoder.
You can find more information about this rsyslog configuration here: https://www.rsyslog.com/doc/v5-stable/configuration/modules/imfile.html
I hope this has answered your question.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fd749918-784d-4b50-8e4a-d2e9e5a2e83bn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages