Can not receive Eset protect server on wazuh

[Hùng Trần Thanh]

Hi everyone,

Hope you're doing well.

I'm new in the wazuh.

Today i need to send the all logs Eset protect server (syslog) to the wazuh server.

I enabled the configurations on my Eset protect server (Syslog server | ESET PROTECT On-Prem 11.1 | ESET Online Help ).

I also installed the agent for this server and create the decoder & rule on wazuh server "

Decoder :

<!-- Modify it at your will. -->
<decoder name="ESET">
  <prematch> ESETSRV ERAServer </prematch>
</decoder>
<decoder name="ESET-child">
  <parent>ESET</parent>
  <regex>\d (\d+-\d+-\.+:\d+:\d+.\.+) ESETSRV (\.+ \.+) - - </regex>
  <order>timestamp,hostname</order>
</decoder>
<decoder name="ESET-child">
  <parent>ESET</parent>
  <regex>{"event_type":"(\w+)","ipv4":"(\.+)","hostname":"(\.+)","source_uuid":"(\.+),"occured":"(\.+)","severity":"(\.+)","domain":"(\.+)","action":"(\.+)","detail":"(\.+).","user":"(\.*)","result":"(\.+)"}</regex>
  <order>eset_event_type,eset_ipv4,eset_hostname,eset_source_uuid,eset_occured,eset_severity,eset_domain,eset_action,eset_detail,eset_user,eset_result</order>
</decoder>
<decoder name="ESET-child">
  <parent>ESET</parent>
  <regex>"occured":"(\.+)","severity":"(\w+)","domain":"(\.+)","action":"(\.+)","detail":"(\.+)","user":"(\.+)","result":"(\.+)"}</regex>
  <order>eset_occured,eset_severity,eset_domain,eset_action,eset_detail,eset_user,eset_result</order>
</decoder>

Rule :

<!-- Modify it at your will. -->
<group name="eset,">

    <rule id="770000" level="0">
        <decoded_as>ESET</decoded_as>
        <description>Eset Console Logs</description>
    </rule>

    <rule id="770001" level="3">
        <if_sid>770000</if_sid>
        <field name="event_type">^Threat_Event$</field>
        <description>Eset: Threat Event rules Group</description>
        <group>threat_event,</group>
    </rule>

    <rule id="770002" level="3">
        <if_sid>770000</if_sid>
        <field name="event_type">^FirewallAggregated_Event$</field>
        <description>Eset: Firewall Aggregated rules Group</description>
        <group>firewallaggregated_event,</group>
    </rule>

    <rule id="770003" level="3">
        <if_sid>770000</if_sid>
        <field name="event_type">^HipsAggregated_Event$</field>
        <description>Eset: HIPS Aggregated rules Group</description>
        <group>hipsaggregated_event,</group>
    </rule>

    <rule id="770004" level="2">
        <if_sid>770000</if_sid>
        <field name="event_type">^Audit_Event$</field>
        <description>Eset: Audit rules Group</description>
        <group>audit_event,</group>
    </rule>

    <rule id="770005" level="3">
        <if_sid>770000</if_sid>
        <field name="event_type">^EnterpriseInspectorAlert_Event$</field>
        <description>Eset: Enterprise Inspector Alert rules Group</description>

        <group>enterpriseinspectoralert_event,</group>
    </rule>

 <rule id="770006" level="3">
        <if_sid>770000</if_sid>
        <field name="event_type">^EnterpriseInspectorAlert_Event$</field>
        <description>Eset: Enterprise Inspector Alert rules Group</description>
        <group>enterpriseinspectoralert_event,</group>
    </rule>

    <rule id="770010" level="5">
        <if_sid>770000</if_sid>
        <field name="severity">^Warning$</field>
        <description>Eset: Warning message was logged from $(hostname)</description>
    </rule>

    <rule id="770011" level="7">
        <if_sid>770000</if_sid>
        <field name="severity">^Error$</field>
        <description>Eset: Error message was logged from $(hostname)</description>
    </rule>

    <rule id="770012" level="9">
        <if_sid>770000</if_sid>
        <field name="severity">^Critical$</field>
        <description>Eset: Critical message was logged from $(hostname)</description>
    </rule>

</group>

However, my wazuh can not revice and display the logs from eset protect server.

Please advise.

Thanks in advanced.

[ismail....@wazuh.com]

Hi,The Wazuh server can collect logs via syslog from endpoints such as firewalls, switches, routers, and other devices that don’t support the installation of Wazuh agents.Option 1:Configuring Syslog on the Wazuh server:You need to follow this guide to configure it before sending the syslog to the Wazuh Manager:

1. Add the following configuration in between the <ossec_config> tags of the Wazuh server

/var/ossec/etc/ossec.conf file to listen for syslog messages on TCP port 514:Note: Below is the sample configuration, refer to the Wazuh documenation for more info.Open the /var/ossec/etc/ossec.conf  add the below configuration and save it.

<remote> <connection>syslog</connection> <port>514</port> <protocol>udp</protocol> <allowed-ips>0.0.0.0/0</allowed-ips> </remote>

2. Restart the Wazuh manager to apply the changes:

systemctl restart wazuh-manager

3. Ensure, the 514 port is listening, use the following command to check it.

netstat -tulnp | grep 514

Configuring Syslog on the ESET PROTECT Server:To configure Syslog forwarding from the ESET PROTECT Server to the Wazuh Manager, navigate to the Syslog Configuration section as per the instructions shared in the documentation by you.Note: Ensure Connectivity that port 514 is open and accessible from the ESET PROTECT Server to the Wazuh Manager Server.Host: Wazuh manager server IP
Port: 514
Format: Try both BSD and syslog
Transport: UDPOnce the configuration is completed, you can check the logs from the wazuh manager server archives.json | alerts.json | tcpdump

cat /var/ossec/logs/alerts/alerts.json

cat /var/ossec/logs/archives/archives.json

tcpdump -i any port 514 -AA

Note: Wazuh Decoders and Rules ESET logs may not be parsed correctly by default. You may need to create a custom decoder in Wazuh for specific log formats.Please find the wazuh documentation reference links:Decoders Syntax - Ruleset XML syntax · Wazuh documentation
Creating decoders and rules from scratch | Wazuh
Custom decoders - Decoders · Wazuh documentation
Option 2:Here you will find the steps to configure the syslog server with rsyslog and Wazuh agent to receive the logs from network devices, store them, and forward them to Wazuh Manager:https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linuxThe Linux machine configuration involves the following steps:Set Up Rsyslog on Linux Host:

• Install Rsyslog (if not already installed):

sudo apt-get install rsyslog

Configure Rsyslog to Receive Logs:

• Open the rsyslog configuration file:

sudo nano /etc/rsyslog.conf

• For TCP (recommended), add these lines:

$ModLoad imtcp $InputTCPServerRun 514

• For UDP, add these lines:

$ModLoad imudp $UDPServerRun 514

Configure Network Device to Send Logs to Rsyslog:

• Ensure the network device is configured to send logs via Syslog to the IP address of your Linux host running rsyslog on port 514.

Configure Rsyslog to Forward Logs to a File:

• In the /etc/rsyslog.conf file, add

if $fromhost-ip startswith 'REMOTE_DEVICE_IP' then /var/log/<file_name.log> & ~

Replace REMOTE_DEVICE_IP with the IP or network of your network devices and <file_name.log> with your desired log file name.Deploy Wazuh Agent on the Same Device:

• Install Wazuh Agent: Follow the Wazuh installation guide for your Linux distribution to install the agent.
• Configure Wazuh Agent to Read the Log File:
• Edit the Wazuh agent configuration file:

sudo nano /var/ossec/etc/ossec.conf

• Add the following within the <localfile> tag:

<localfile> <log_format>syslog</log_format> <location>/var/log/<file_name.log></location> </localfile>

Replace <file_name.log> with the log file name you specified earlier.
Restart Services:

sudo systemctl restart rsyslog sudo systemctl restart wazuh-agent

Please refer to the wazuh documentation for more reference:https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.htmlI hope this information helps you. Please feel free to reach out to us for any information/issues.Regards,