analyze existing syslog store
51 views
Skip to first unread message
Jake Peltz
Oct 10, 2022, 1:27:40 PM10/10/22
to Wazuh mailing list
We are interested in exploring Wazuh's but are already collecting syslogs on a Redhat server. Would we place an agent on that server and use the onssec.conf file localfile section to have Wazuh monitor our existing log file directories?
thanks
Henadence Anyam
Oct 10, 2022, 1:55:24 PM10/10/22
to Wazuh mailing list
Hello Jake,
Thank you for using Wazuh.
Wazuh is able to send and receive messages via Syslog. Syslog allows machines where the Wazuh agent cannot be installed to report events.
Since you already have a syslog client installed, you can just configure the Wazuh server to receive syslog messages.
Follow this guide to configure your Wazuh server to receive syslog events. Ensure that your configuration matches that of the syslog client.
Another case is to install the Wazuh agent which automatically collects syslog events out of the box without further configuration.
Another case is to install the Wazuh agent which automatically collects syslog events out of the box without further configuration.
Let me know if that helps.
Best regards.
Jake Peltz
Oct 10, 2022, 4:21:51 PM10/10/22
to Wazuh mailing list
Instead of sending syslogs to Wazuh we're trying to leverage our existing system that collects syslogs from all our devices and stores them in plaintext files. From the guide link you sent it looks like the 'Storing syslog logs in a plaintext file and monitoring it with Wazuh' feature may be an option. Is that correct?
thanks
Henadence Anyam
Oct 11, 2022, 2:18:46 AM10/11/22
to Wazuh mailing list
That is correct.
In that case, install the Wazuh agent and edit the /var/ossec/etc/ossec.conf configuration file to point to the log location as shown in the guide.
Then restart the Wazuh service.
Best regards.
Reply all
Reply to author
Forward
0 new messages