Alcatel-Lucent Switch log to Wazuh
194 views
Skip to first unread message
Massimiliano De Falco
Mar 3, 2023, 1:29:35 PM3/3/23
to Wazuh mailing list
Good morning,
my idea is to send the Alcatel-Lucent switch log to wazuh gui dashboard. The switch IP is 192.168.10.12 and the wazuh server is 192.168.10.240
I configured the switch according to the image attached: "Log to a remote host" and added the wazuh server IP:PORT 192.168.10.240:513.
Is the wazuh 513 port number correct? Where can I configure/personalize the port number and how I know if this configuration work?
Is the wazuh 513 port number correct? Where can I configure/personalize the port number and how I know if this configuration work?
Thanks.
Bin Do Tuan Anh
Mar 3, 2023, 2:09:14 PM3/3/23
to Wazuh mailing list
Hi,
The port would be 514. But also please keep in mind that you will need to configure Wazuh Manager to accept those logs. You will need to change it in the /var/ossec/etc/ossec.conf. You will need to add following lines:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>IP-address-1</allowed-ips>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>IP-address-1</allowed-ips>
<allowed-ips>IP-address-2</allowed-ips>
<local_ip>10.0.0.1</local_ip>
</remote>
<local_ip>10.0.0.1</local_ip>
</remote>
For more details you can check it here: https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
Also, please keep in mind that in order for Wazuh to be able to trigger alerts based on the logs it has to have decoders and rules for that one.
You can verify if the logs come to Wazuh Manager by enabling archives. This way you will save all the logs in the folder /var/ossec/logs/archives/.
To do that in the Wazuh Manager you will need to go to the file /var/ossec/etc/ossec.conf and change
<logall_json>no</logall_json>
to
<logall_json>yes</logall_json>
Save the changes, and restart Wazuh Manager to apply the configuration. After the restart all the data that come to Wazuh Manager you will be able to find logs in the file /var/ossec/logs/archives/archives.json
<logall_json>no</logall_json>
to
<logall_json>yes</logall_json>
Save the changes, and restart Wazuh Manager to apply the configuration. After the restart all the data that come to Wazuh Manager you will be able to find logs in the file /var/ossec/logs/archives/archives.json
Please keep in mind that it will store a lot of data there, and it can easily fulfill your disk. For this reason I would strongly recommend you to not keep those data for a long time, after you troubleshoot it you can remove archives file to free your disk.
At the same time you can take the logs from the archives (or from your application) to run the test to see how Wazuh Manager would parse that information.
You can use it by running /var/ossec/bin/wazuh-logtest and pasting your log there - it will show you the rule that will be triggered for this specific logs.
You can use it by running /var/ossec/bin/wazuh-logtest and pasting your log there - it will show you the rule that will be triggered for this specific logs.
In case, there are no decoders you will need to create a custom one. I would recommend you this blog post: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/. And also you can check Wazuh documentation: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
Please let me know if you have any questions and issues.
Best regards,
Bin.
Reply all
Reply to author
Forward
0 new messages