Forwarding logs from a syslog server to wazuh
704 views
Skip to first unread message
Del Eldorado
Mar 15, 2024, 8:46:48 AM3/15/24
to Wazuh | Mailing List
Hello,
I have a syslog server in my environment that collects, firewall and network device log. I have installed wazuh on another server, how do i forward logs from my already existing syslog server to wazuh.?
Olusegun Adenrele Oyebo
Mar 15, 2024, 12:42:43 PM3/15/24
to Wazuh | Mailing List
Hello Del,
Thanks for reaching out.
Since have a centralized syslog server, you can use rsyslog on a Linux host with a Wazuh agent to log to a file and send those logs to the Wazuh environment.
Configuring Rsyslog on Linux:
$ModLoad imtcp
$InputTCPServerRun <PORT>
For UDP:
$ModLoad imudp
$UDPServerRun <PORT>
Make sure to review your firewall/SELinux configuration to allow this communication.
if $fromhost-ip startswith 'REMOTE_DEVICE_IP' then /var/log/<FILE_NAME.log>
& ~
To perform the following steps, make sure to replace <FILE_NAME.log> with the name chosen for this log.
<log_format>syslog</log_format>
<location>/var/log/<FILE_NAME.log></location>
</localfile>
systemctl restart wazuh-agent
You can check the below link for more information:
I hope this helps. We remain attentive to your queries.
Thanks for reaching out.
Since have a centralized syslog server, you can use rsyslog on a Linux host with a Wazuh agent to log to a file and send those logs to the Wazuh environment.
Configuring Rsyslog on Linux:
- Configure rsyslog to receive syslog events and enable the TCP or UDP settings by editing the /etc/rsyslog.conf file.
$ModLoad imtcp
$InputTCPServerRun <PORT>
For UDP:
$ModLoad imudp
$UDPServerRun <PORT>
Make sure to review your firewall/SELinux configuration to allow this communication.
- Configure rsyslog to forward events to a file by editing the /etc/rsyslog.conf file.
if $fromhost-ip startswith 'REMOTE_DEVICE_IP' then /var/log/<FILE_NAME.log>
& ~
To perform the following steps, make sure to replace <FILE_NAME.log> with the name chosen for this log.
- Deploy a Wazuh agent on the same endpoint with rsyslog installed.
- Configure the agent to read the syslog output file by editing the /var/ossec/etc/ossec.conf file.
<log_format>syslog</log_format>
<location>/var/log/<FILE_NAME.log></location>
</localfile>
- Run the commands below to restart rsyslog and the Wazuh agent:
systemctl restart wazuh-agent
You can check the below link for more information:
I hope this helps. We remain attentive to your queries.
Best regards
Olusegun Adenrele Oyebo
Mar 18, 2024, 8:11:04 AM3/18/24
to Wazuh | Mailing List
Hello Del,
In addition to my previous mail, another way you can achieve this is by configuring your Wazuh manager to receive syslog events from the syslog server. First of all, you'll need to include the below sample block of configuration on your Wazuh server's /var/ossec/etc/ossec.conf and restart the Wazuh manager service systemctl restart wazuh-manager for the configuration to be applied.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>10.0.0.0/24</allowed-ips>
<local_ip>10.0.0.1</local_ip>
</remote>
Then on your syslog server, configure the file /etc/rsyslog.conf and add the IP address of the Wazuh manager server which will indicate to which server the messages will be sent. For example, let's say that the Wazuh manager IP address is 10.0.0.1 where the port is 514 via UDP:
*.* @10.0.0.1:514
Add the below configuration to send a message via TCP:
*.* @@10.0.0.1:514
The configuration files found in /etc/rsyslog.d determine which messages will be sent. If you want to forward a specific log file, you can create a configuration file in this folder. This file must have the extension .conf. Now add the following configuration to this file:
$ModLoad imfile
$InputFileName /var/log/program_file.log
$InputFileTag my_program
$InputFileStateFile program_file
$InputFileSeverity info
$InputRunFileMonitor
Finally you'll need to restart the Rsyslog service to apply changes:
I hope this helps. If you have any other query, do not hesitate to ask.
Best regards.
In addition to my previous mail, another way you can achieve this is by configuring your Wazuh manager to receive syslog events from the syslog server. First of all, you'll need to include the below sample block of configuration on your Wazuh server's /var/ossec/etc/ossec.conf and restart the Wazuh manager service systemctl restart wazuh-manager for the configuration to be applied.
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>10.0.0.0/24</allowed-ips>
<local_ip>10.0.0.1</local_ip>
</remote>
Then on your syslog server, configure the file /etc/rsyslog.conf and add the IP address of the Wazuh manager server which will indicate to which server the messages will be sent. For example, let's say that the Wazuh manager IP address is 10.0.0.1 where the port is 514 via UDP:
*.* @10.0.0.1:514
Add the below configuration to send a message via TCP:
*.* @@10.0.0.1:514
The configuration files found in /etc/rsyslog.d determine which messages will be sent. If you want to forward a specific log file, you can create a configuration file in this folder. This file must have the extension .conf. Now add the following configuration to this file:
$ModLoad imfile
$InputFileName /var/log/program_file.log
$InputFileTag my_program
$InputFileStateFile program_file
$InputFileSeverity info
$InputRunFileMonitor
Finally you'll need to restart the Rsyslog service to apply changes:
- systemctl restart rsyslog
I hope this helps. If you have any other query, do not hesitate to ask.
Best regards.
Reply all
Reply to author
Forward
0 new messages