Monitoring Network Devices with OSSEC HIDS sonic firewall

[ROHIT SINGH]

Hello Team 

                How to use Monitoring Network Devices with OSSEC HIDS sonic firewall .

Regards

Rohit.s

[Tomas Giordano]

Hello Rohit, I hope this message finds you well

In order to monitor your network devices by using Wazuh alongside a SonicWall Firewall, you must enable syslog on your Firewall. 
Here's the SonicWall official knowledge base for how to achieve this:
SonicWall Syslog Configuration

After this, you must enable Wazuh to receive syslog messages forwarded from your firewall. 
This is done by editing the configuration file which is found in /var/ossec/etc/ossec.conf (it's adviceable to backup first by copying it) and adding the following lines to it:
<remote>
    <connection>syslog</connection>
    <allowed-ips>your-device-ip/CIDR</allowed-ips>
</remote>

With the "allowed-ips" you can set either a CIDR block or just one single IP on your network. In this case, you must replace it with your firewall's syslog IP.

Once this is done, you must restart the wazuh manager by issuing the following command:
sudo systemctl restart wazuh-manager 
or
/var/ossec/bin/ossec-control restart

Here's the documentation for this topic:
https://wazuh.com/blog/monitoring-network-devices-wazuh-hids/
Additionally, here is more documentation about Syslog and more Network devices integration:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog

Thanks for sharing your doubts in the community!