No log collected via syslog with network equipment
83 views
Skip to first unread message
Jerome Laroche
Sep 16, 2025, 1:30:11 PM (4 days ago) Sep 16
to Wazuh | Mailing List
Hi!
New distributed installation. It seems like I don't receive any log files from my network equipment via syslog. I receive my Windows agents but that's it.
And yes I restarted the wazuh-manager and the filebeat services.
New distributed installation. It seems like I don't receive any log files from my network equipment via syslog. I receive my Windows agents but that's it.
In the /var/ossec/etc/ossec.conf, I added:
<remote>
<connection>syslog</connection>
<port>2000</port>
<protocol>tcp</protocol>
<allowed-ips>REDACTED/8</allowed-ips>
<local_ip>REDACTED</local_ip>
</remote>
<remote>
<connection>syslog</connection>
<port>2000</port>
<protocol>udp</protocol>
<allowed-ips>REDACTED/8</allowed-ips>
<local_ip>REDACTED</local_ip>
</remote>
Just to be sure that I receive everything, I set to yes:
<logall>yes</logall>
<logall_json>yes</logall_json>
<logall_json>yes</logall_json>
In /etc/filebeat/filebeat.yml, I even enabled archives:
filebeat.modules:
- module: wazuh
archives:
enabled: true
- module: wazuh
archives:
enabled: true
A "tcpdump -s 0 -A host REDACTED and tcp port 2000" command gives me results, I see stuff coming in.
And yes I restarted the wazuh-manager and the filebeat services.
Any ideas? Thanks!
Ian Yenien Serrano
Sep 16, 2025, 3:26:48 PM (4 days ago) Sep 16
to Wazuh | Mailing List
Hi @Jerome, I understand that you only receive alerts via syslog from Windows agents.
When you run the command, is the response something like this?
server:/home/user# tcpdump -s 0 -A host 192.168.1.1 and udp port 514
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
When you run the command, is the response something like this?
server:/home/user# tcpdump -s 0 -A host 192.168.1.1 and udp port 514
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
In this case, check the network connectivity/firewall configurations between your devices and the Wazuh server.
Can you check it?
Can you check it?
Jerome
Sep 16, 2025, 3:55:15 PM (4 days ago) Sep 16
to Wazuh | Mailing List
Hi!
Oh no, I have stuff, I receive packets from the network equipment so it isn't stopped by a firewall:
root@WAZUHMANAGER:/home/ADMINUSER# tcpdump -s 0 -A host NETWORKEQUIPMENT and tcp port 2000
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
Oh no, I have stuff, I receive packets from the network equipment so it isn't stopped by a firewall:
root@WAZUHMANAGER:/home/ADMINUSER# tcpdump -s 0 -A host NETWORKEQUIPMENT and tcp port 2000
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:30:47.073768 IP NETWORKEQUIPMENT.13170 > WAZUHMANAGER.cisco-sccp: Flags [S], seq 756849517, win 14600, options [mss 1460,sackOK,TS val 271545050 ecr 0,nop,wscale 10], length 0
E..<=...@...
.@.
2.G3r..-..m......9.3&.........
./r........
15:30:47.073801 IP WAZUHMANAGER.cisco-sccp > NETWORKEQUIPMENT.13170: Flags [S.], seq 3510680415, ack 756849518, win 65160, options [mss 1460,sackOK,TS val 1129241647 ecr 271545050,nop,wscale 7], length 0
E..<..@.@...
2.G
.@...3r.@._-..n....U(.........
CN././r.....
15:30:47.073912 IP NETWORKEQUIPMENT.13170 > WAZUHMANAGER.cisco-sccp: Flags [.], ack 1, win 15, options [nop,nop,TS val 271545050 ecr 1129241647], length 0
E..4=...@...
.@.
2.G3r..-..n.@.`...........
./r.CN./
15:30:47.073954 IP NETWORKEQUIPMENT.13170 > WAZUHMANAGER.cisco-sccp: Flags [F.], seq 1, ack 1, win 15, options [nop,nop,TS val 271545050 ecr 1129241647], length 0
E..4=...@...
.@.
2.G3r..-..n.@.`...........
./r.CN./
15:30:47.074378 IP WAZUHMANAGER.cisco-sccp > NETWORKEQUIPMENT.13170: Flags [.], ack 2, win 510, options [nop,nop,TS val 1129241648 ecr 271545050], length 0
E..4".@.@..@
2.G
.@...3r.@.`-..o....U .....
CN.0./r.
15:30:47.074632 IP WAZUHMANAGER.cisco-sccp > NETWORKEQUIPMENT.13170: Flags [F.], seq 1, ack 2, win 510, options [nop,nop,TS val 1129241648 ecr 271545050], length 0
E..4".@.@..?
2.G
.@...3r.@.`-..o....U .....
CN.0./r.
15:30:47.074683 IP NETWORKEQUIPMENT.13170 > WAZUHMANAGER.cisco-sccp: Flags [.], ack 2, win 15, options [nop,nop,TS val 271545050 ecr 1129241648], length 0
E..4.r@.@..X
.@.
2.G3r..-..o.@.a...........
./r.CN.0
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel
15:30:47.073768 IP NETWORKEQUIPMENT.13170 > WAZUHMANAGER.cisco-sccp: Flags [S], seq 756849517, win 14600, options [mss 1460,sackOK,TS val 271545050 ecr 0,nop,wscale 10], length 0
E..<=...@...
.@.
2.G3r..-..m......9.3&.........
./r........
15:30:47.073801 IP WAZUHMANAGER.cisco-sccp > NETWORKEQUIPMENT.13170: Flags [S.], seq 3510680415, ack 756849518, win 65160, options [mss 1460,sackOK,TS val 1129241647 ecr 271545050,nop,wscale 7], length 0
E..<..@.@...
2.G
.@...3r.@._-..n....U(.........
CN././r.....
15:30:47.073912 IP NETWORKEQUIPMENT.13170 > WAZUHMANAGER.cisco-sccp: Flags [.], ack 1, win 15, options [nop,nop,TS val 271545050 ecr 1129241647], length 0
E..4=...@...
.@.
2.G3r..-..n.@.`...........
./r.CN./
15:30:47.073954 IP NETWORKEQUIPMENT.13170 > WAZUHMANAGER.cisco-sccp: Flags [F.], seq 1, ack 1, win 15, options [nop,nop,TS val 271545050 ecr 1129241647], length 0
E..4=...@...
.@.
2.G3r..-..n.@.`...........
./r.CN./
15:30:47.074378 IP WAZUHMANAGER.cisco-sccp > NETWORKEQUIPMENT.13170: Flags [.], ack 2, win 510, options [nop,nop,TS val 1129241648 ecr 271545050], length 0
E..4".@.@..@
2.G
.@...3r.@.`-..o....U .....
CN.0./r.
15:30:47.074632 IP WAZUHMANAGER.cisco-sccp > NETWORKEQUIPMENT.13170: Flags [F.], seq 1, ack 2, win 510, options [nop,nop,TS val 1129241648 ecr 271545050], length 0
E..4".@.@..?
2.G
.@...3r.@.`-..o....U .....
CN.0./r.
15:30:47.074683 IP NETWORKEQUIPMENT.13170 > WAZUHMANAGER.cisco-sccp: Flags [.], ack 2, win 15, options [nop,nop,TS val 271545050 ecr 1129241648], length 0
E..4.r@.@..X
.@.
2.G3r..-..o.@.a...........
./r.CN.0
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel
Ian Yenien Serrano
Sep 17, 2025, 9:31:29 AM (3 days ago) Sep 17
to Wazuh | Mailing List
In this case, you are most likely missing some decoders and/or custom rules for your events.
You can confirm this since you have logall_json enabled. With this option enabled, your Wazuh server will start saving each event it receives in your /var/ossec/logs/archives/archives.json. Even if your events do not trigger a rule. There, you can search for your incoming events.
I am sharing the documentation on custom rules and decoders with you.
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
You can confirm this since you have logall_json enabled. With this option enabled, your Wazuh server will start saving each event it receives in your /var/ossec/logs/archives/archives.json. Even if your events do not trigger a rule. There, you can search for your incoming events.
I am sharing the documentation on custom rules and decoders with you.
https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
Jerome
Sep 17, 2025, 11:07:24 AM (3 days ago) Sep 17
to Wazuh | Mailing List
Yeah but it looks like it is not saved at all in the archives.json.
If I do the command:
cat /var/ossec/logs/archives/archives.json | grep IP_OF_A_WORKING_WINDOWS_AGENT
cat /var/ossec/logs/archives/archives.json | grep IP_OF_A_WORKING_WINDOWS_AGENT
I get results.
If I do the command:
cat /var/ossec/logs/archives/archives.json | grep IP_OF_THE_NETWORK_EQUIPEMENT_SENDING_SYSLOG
I get nothing.
cat /var/ossec/logs/archives/archives.json | grep IP_OF_THE_NETWORK_EQUIPEMENT_SENDING_SYSLOG
I get nothing.
Ian Yenien Serrano
Sep 18, 2025, 10:40:18 AM (2 days ago) Sep 18
to Wazuh | Mailing List
I'm investigating and asking colleagues what the problem might be. In the meantime, could you send me the configuration you made, replacing the IP addresses and mentioning which IP you put in each field?
example
<remote>
<connection>syslog</connection>
<port>2000</port>
<protocol>tcp</protocol>
<allowed-ips><IP_NETWORK_EQUIPEMENT></allowed-ips>
<local_ip><IP_MANAGER></local_ip>
</remote>
example
<remote>
<connection>syslog</connection>
<port>2000</port>
<protocol>tcp</protocol>
<local_ip><IP_MANAGER></local_ip>
</remote>
Ian Yenien Serrano
Sep 18, 2025, 11:17:12 AM (2 days ago) Sep 18
to Wazuh | Mailing List
Did you configure the equipment to send the logs to Wazuh Manager?
Jerome
Sep 19, 2025, 8:40:12 AM (yesterday) Sep 19
to Wazuh | Mailing List
Here's the begining of the ossec.conf:
<logall>yes</logall>
<logall_json>yes</logall_json>
<remote>
<connection>syslog</connection>
<port>2000</port>
<protocol>udp</protocol>
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>syslog</connection>
<port>2000</port>
<protocol>udp</protocol>
<allowed-ips>10.0.0.0/8</allowed-ips>
<local_ip>THIS_WAZUH_SERVER_IP</local_ip>
</remote>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<local_ip>THIS_WAZUH_SERVER_IP</local_ip>
</remote>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
The network gateway is configured to send its syslog on port 2000, udp protocol. When I do the following command, I see that I receive its syslog:
tcpdump -s 0 -A host GATEWAY_IP and udp port 2000
Result:
2.GY@......<189>1 2025-09-19T12:20:24Z REDACTED - - - - eventtime=1758284425288387097 tz="-0400" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=
REDACTED srcport=62653 srcintf="
REDACTED.............
(and many other stuff...too much to redact everything)
Reply all
Reply to author
Forward
0 new messages