Wazuh and Jumpcloud Data
153 views
Skip to first unread message
Lucas Brictson
Feb 13, 2023, 9:00:34 PM2/13/23
to Wazuh mailing list
Does Wazuh have a mechanism to ingest logs/data from Jumpcloud? I know you can use Jumpcloud for SSO login to Wazuh dashboard, but I am interested in gathering the security events from Jumpcloud itself.
Thanks for any info!
Aditya Sharma
Feb 13, 2023, 10:11:11 PM2/13/23
to Wazuh mailing list
Hello team,
I hope you are having a good day!
If you want to monitor logs for any source where you can not install wazuh-agent, the recommended procedure would be to forward the logs into a server which has a Wazuh agent installed for better resource management and for features such as buffer for logs.
If your log source has the option to send remote logs to an endpoint with IP address and port, then you can use that feature. Additionally, you can use rsyslog to forward logs. Depending on the operating system, the configuration involves the following steps:
Setup the syslog listener (
RSyslog Documentation - rsyslog).
Configure the syslog listener to forward the events to a file.
Configure the Wazuh agent to read the previous file.
Guideline:
Use rsyslog on a Linux host with a Wazuh agent to log to a file and send those logs to the environment.
Configure rsyslog to receive syslog events, then set either TCP or UDP by editing /etc/rsyslog.conf.
For TCP (recommended):
$ModLoad imtcp
$InputTCPServerRun <PORT>
For UDP:
$ModLoad imudp
$UDPServerRun <PORT>
Change the <PORT> to whatever you want, it can be the default: 514.
Make sure to configure your SmartVista application to allow this communication and forward the logs to this server's IP address and specified port.
Configure rsyslog to forward events to a file:
Edit /etc/rsyslog.conf
# Storing Messages from a Remote System into a specific File
if $fromhost-ip startswith 'xxx.xxx.xxx.' then /var/log/<file_name.log>
& ~
Change the 'xxx.xxx.xxx.' to the IP or network of the sender device, for example, '192.168.0.' and make sure to replace <file_name.log> with the name chosen for this log.
Deploy a Wazuh agent on the same device that receives the events from the rsyslog and configure the agent to read the syslog output file by editing /var/ossec/etc/ossec.conf.
<localfile>
<log_format>syslog</log_format>
<location>/var/log/<file_name.log></location>
</localfile>
Restart rsyslog and wazuh-agent to apply changes.
systemctl restart rsyslog
systemctl restart wazuh-agent
Documentation:
Once you succeed to forward these logs to Wazuh Manager, you may need to prepare custom decoders and rules to decode this logs properly and trigger alerts for expected cases. You can review these documentations to learn more about creating custom decoders and rules:
I hope it helps. Please let me know if you have need any further help here.
Regards,
Aditya Sharma
I hope you are having a good day!
If you want to monitor logs for any source where you can not install wazuh-agent, the recommended procedure would be to forward the logs into a server which has a Wazuh agent installed for better resource management and for features such as buffer for logs.
If your log source has the option to send remote logs to an endpoint with IP address and port, then you can use that feature. Additionally, you can use rsyslog to forward logs. Depending on the operating system, the configuration involves the following steps:
Setup the syslog listener (
RSyslog Documentation - rsyslog).Configure the syslog listener to forward the events to a file.
Configure the Wazuh agent to read the previous file.
Guideline:
Use rsyslog on a Linux host with a Wazuh agent to log to a file and send those logs to the environment.
Configure rsyslog to receive syslog events, then set either TCP or UDP by editing /etc/rsyslog.conf.
For TCP (recommended):
$ModLoad imtcp
$InputTCPServerRun <PORT>
For UDP:
$ModLoad imudp
$UDPServerRun <PORT>
Change the <PORT> to whatever you want, it can be the default: 514.
Make sure to configure your SmartVista application to allow this communication and forward the logs to this server's IP address and specified port.
Configure rsyslog to forward events to a file:
Edit /etc/rsyslog.conf
# Storing Messages from a Remote System into a specific File
if $fromhost-ip startswith 'xxx.xxx.xxx.' then /var/log/<file_name.log>
& ~
Change the 'xxx.xxx.xxx.' to the IP or network of the sender device, for example, '192.168.0.' and make sure to replace <file_name.log> with the name chosen for this log.
Deploy a Wazuh agent on the same device that receives the events from the rsyslog and configure the agent to read the syslog output file by editing /var/ossec/etc/ossec.conf.
<localfile>
<log_format>syslog</log_format>
<location>/var/log/<file_name.log></location>
</localfile>
Restart rsyslog and wazuh-agent to apply changes.
systemctl restart rsyslog
systemctl restart wazuh-agent
Documentation:
Forward syslog events - Your environment · Wazuh documentation- localfile - Local configuration (ossec.conf) · Wazuh documentation
Once you succeed to forward these logs to Wazuh Manager, you may need to prepare custom decoders and rules to decode this logs properly and trigger alerts for expected cases. You can review these documentations to learn more about creating custom decoders and rules:
Creating decoders and rules from scratch | Wazuh | The Open Source Security Platform
Regular Expression Syntax - Ruleset XML syntax · Wazuh documentation
Custom rules and decoders - Ruleset · Wazuh documentationI hope it helps. Please let me know if you have need any further help here.
Regards,
Aditya Sharma
Reply all
Reply to author
Forward
0 new messages