Remote syslog failed.
310 views
Skip to first unread message
Alberto García
May 23, 2022, 6:02:10 AM5/23/22
to Wazuh mailing list
Hello.
I´m deploying Wazuh 4.3.1 in Docker containers and I'm facing a problem related to rsyslog daemon. I have configured the ossec.conf to allow receiving logs through port 514, as usual, but it doesn't show any alert the dashboard. I have used tcpdump to check out if logs arrive to server but they don't. For each syslog error that I receive the following message in the tcpdump:
<IP>.167370 IP <IP>.60152 > 10.0.2.25.syslog: SYSLOG daemon.error, length: 66
In the previous version (v4.2.6), the syslog error arrived in raw format, as expected. I've checked the status of rsyslog through systemctl and it is up&running.
I would appreciate your help or any recommendation to fix the problem.
Thanks in advance. Best regards.
Pablo Ariel Gonzalez
May 26, 2022, 8:26:58 PM5/26/22
to Wazuh mailing list
Hi Alberto, it will be a pleasure to analyze this inconvenience with you.
From what I see you have configured Wazuh Manager to be able to receive syslog events. This requires that you have configured the appropriate section in the /var/ossec/etc/ossec.conf file and have a syslog service installed and configured, for example rsyslog.
To make this configuration you could use the article included in the wazuh blog where this configuration is detailed.
In case you have configured and verified what you mentioned above and still continue with problems, we could carry out the following test. If you try to connect to the IP and port assigned to syslog in Wazuh Manager from another server, is the connection successful?. This could be verified using the following command:
For a TCP connection:
nc -zv wazuh_manager_ip wazuh_manager_port
For a UDP connection:
nc -zvu wazuh_manager_ip wazuh_manager_port
From what I see you have configured Wazuh Manager to be able to receive syslog events. This requires that you have configured the appropriate section in the /var/ossec/etc/ossec.conf file and have a syslog service installed and configured, for example rsyslog.
To make this configuration you could use the article included in the wazuh blog where this configuration is detailed.
In case you have configured and verified what you mentioned above and still continue with problems, we could carry out the following test. If you try to connect to the IP and port assigned to syslog in Wazuh Manager from another server, is the connection successful?. This could be verified using the following command:
For a TCP connection:
nc -zv wazuh_manager_ip wazuh_manager_port
For a UDP connection:
nc -zvu wazuh_manager_ip wazuh_manager_port
With this information we can continue to analyze the problem if necessary.
Thanks,
Alberto García
May 31, 2022, 2:47:49 AM5/31/22
to Wazuh mailing list
Hello. Thank you for your reply.
My ossec.conf file are configured as it comes in the article and the logs arrive inside the container, but they not show in Wazuh Dashboard. Also i have checked filebeat and it works fine without any error.
However, the logs i got through agents are displaying correctly.
Thanks for your help.
Pablo Ariel Gonzalez
Jun 12, 2022, 4:13:12 PM6/12/22
to Wazuh mailing list
Hi Alberto.
Could you share your ossec.conf file, please?. And it would also be helpful if you can send the output of this command to see the service and port status
systemctl status wazuh-manager; netstat -utonap | grep 514
systemctl status wazuh-manager; netstat -utonap | grep 514
Thanks,
Reply all
Reply to author
Forward
0 new messages