Syslog Messages Not Showing in Discover

[Grayden Odum]

Hello, hoping someone can help me troubleshoot my syslog messages from my opnsense firewall showing up in the OpenSearch Discover tab. I have run a tcpdump to verify the messages are being received by the wazuh manager, but I only see a handful of log events in Discover compared to the many that are being sent over.Someone suggested that this might be the decoder. However when running a ruleset test I am seeing that both of the following events match the default "pf" decoder, but only one is showing in discover.This log event is the only one showing in the "Discover" tab in Wazuh: Jul 29 03:43:47 OPNsense.homelab filterlog\[20441\]: 61,,,1eb94a38e58994641aff378c21d5984f,hn0,match,block,in,4,0x0,,255,6503,0,none,17,udp,862,192.168.1.101,224.0.0.251,5353,5353,842And this event is not appearing, however it is also matching the "pf" decoder when running this through ruleset test:Jul 29 04:00:25 OPNsense.homelab filterlog\[20441\]: 61,,,43ea6918b7b9f7b3a09ad8a5bbdb6dc,hn0,match,pass,out,4,0x0,,127,52573,0,none,17,udp,,76,[192.168.1.254](https://192.168.1.254),40.119.6.228.10390,123,56Does anybody know what might be the issue here?

[Bin Do Tuan Anh]

Hi, 

Wazuh by default does not display all the logs coming to the Wazuh Manager. It is designed to display security related information (alerts). 

And even though in the logtest the decoder could catch it please let me know if the rule triggered any rules? Out of the box Wazuh would only consider the log as an alerts in case it has level 3 or higher. It can be changed in the /var/ossec/etc/ossec.conf in the <log_alert_level>. For more information you can check it here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html#log-alert-level

Also, in case you want to have all the logs in the Discovery tab. You can enable what is called archives. But please be aware that Wazuh archives retain logs collected from all monitored endpoints, therefore consuming significant storage resources on the Wazuh server over time. So, it is important to consider the impact on disk space and performance before enabling them.

To enable archives please check this: https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html

Additionally, please take a look at this blog post to understand how to create your own custom rules/decoders - this way you would be able to configure the response specifically for you. 

Best regards,

Bin.