rsyslog forwarding switch log to wazuh
138 views
Skip to first unread message
Matteo
Jan 11, 2024, 8:14:12 AM1/11/24
to Wazuh | Mailing List
Hello everyone !
Thank you for all the help that you did provide me !
And today I got a new issue.
I want to monitor my Aruba switchs logs on Wazuh.
So I did make a rsyslog server where I send my switches logs.
I'm receiving my switches logs, I can see them read them no problem on this part.
On my rsyslog server, I did deploy a Wazuh agent and add the switch.log file
But on my wazuh dashboard I cant see any logs from my switch.
If anyone have any idea ?
Thanks for your helping
(If you don't understand something let me know, I will try to be more clear English is not my first language)
Luciano Gorza
Jan 11, 2024, 10:00:18 AM1/11/24
to Wazuh | Mailing List
Hi Matteo!
After updating the ossec.conf file, it's important to restart the agent. Have you already done that?
To verify if the Wazuh server is receiving the logs, you can enable archive logs. Wazuh archives store all events received by the Wazuh server, regardless of whether they trigger a rule.
For detailed information on archives, refer to the documentation: Wazuh Archives.
Once you've enabled this option, remember to restart the server. Then, analyze the logs to ensure that the server is receiving them and processing them accordingly.
I hope this information proves useful.
After updating the ossec.conf file, it's important to restart the agent. Have you already done that?
To verify if the Wazuh server is receiving the logs, you can enable archive logs. Wazuh archives store all events received by the Wazuh server, regardless of whether they trigger a rule.
For detailed information on archives, refer to the documentation: Wazuh Archives.
Once you've enabled this option, remember to restart the server. Then, analyze the logs to ensure that the server is receiving them and processing them accordingly.
I hope this information proves useful.
Matteo
Jan 11, 2024, 12:37:07 PM1/11/24
to Wazuh | Mailing List
Thank you for your answer, I already restart the agent and I can see them in archives, but I did create a decoder in /var/ossec/etc/decoders/local_decoder.xml
<decoder name="aruba_2930f">
<prematch>^aruba_log</prematch>
</decoder>
<decoder name="aruba_2930f_fields">
<parent>aruba_2930f</parent>
<regex> (\w\w\w \d+) (\d\d:\d\d:\d\d) \d+.\d+.\d+.\d+ \d+ \w+: \w+: \w+ '(\w+)' \w+ \w+ \w+ (\d+.\d+.\d+.\d+) (\.*)</regex>
<order>date, time, srcuser, srcip</order>
</decoder>
<decoder name="aruba_2930f_fields">
<parent>aruba_2930f</parent>
<regex offset="after_regex">from (\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
<prematch>^aruba_log</prematch>
</decoder>
<decoder name="aruba_2930f_fields">
<parent>aruba_2930f</parent>
<regex> (\w\w\w \d+) (\d\d:\d\d:\d\d) \d+.\d+.\d+.\d+ \d+ \w+: \w+: \w+ '(\w+)' \w+ \w+ \w+ (\d+.\d+.\d+.\d+) (\.*)</regex>
<order>date, time, srcuser, srcip</order>
</decoder>
<decoder name="aruba_2930f_fields">
<parent>aruba_2930f</parent>
<regex offset="after_regex">from (\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
Luciano Gorza
Jan 12, 2024, 2:07:24 PM1/12/24
to Wazuh | Mailing List
Matteo, I don't fully understand. Did you create the decoder and test it? Or do you need help creating both the decoder and the rules?
To test if the logs reaching the archives are processed correctly by the decoders and rules, you can use the Ruleset Test tool:
You can use it with any of the following alternatives:
- Wazuh dashboard
- Command line tool
- Wazuh API
Reply all
Reply to author
Forward
0 new messages