how to collect watchguard log in wazuh
Wahyu Kurniawan
Wahyu Kurniawan
Pedro Nicolás Gomez
Hi,
Thank you for using Wazuh.
To integrate a network device, you can use Remote Syslog. These are the steps to configure it
On your Wazuh manager, locate the file /var/ossec/etc/ossec.conf
Enter the below configuration .
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>ip_network device</allowed-ips>
<local_ip>local_ip_of_manager</local_ip>
</remote>
Configure your network device to forward log to the Wazuh Manager using the syslog protocol.
Restart the Wazuh manager using the command
systemctl restart wazuh-manager
Here I share a link with information about Remote Syslog
It will probably be necessary to create decoders and rules for the logs. I would recommend the custom decoders documentation page, it will help you to create your ruleset.
Also, the wazuh-logtest tool can help with the whole process: https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/how-it-works.html
I hope it helps.
Best regards, Pedro Nicolas.
Wahyu Kurniawan
Sam Heuchert
Pedro Nicolás Gomez
Hi,
Syslog allows machines where the Wazuh agent cannot be installed to report events.
The blog shows how to integrate the external tool Rsyslog so that it sends events to wazuh-manager
rsyslog is an open source utility widely used on Linux systems to forward or receive log messages via TCP/UDP protocols. rsyslog daemon can be configured in two scenarios. Configured as a log collector server, rsyslog daemon can gather log data from all other hosts in the network, which are configured to send their internal logs to the server. In another role, rsyslog daemon can be configured as a client which filters and sends internal log messages to either a local folder (e.g. /var/log) or a remote rsyslog server based on routing facility.
In the blog, rsyslog is configured as a client and shows the configuration to send the logs of a particular program to wazuh-manager
$ModLoad imfile
$InputFileName /var/log/program_file.log ←—--- log file from which the logs will be sent
$InputFileTag my_program
$InputFileStateFile program_file
$InputFileSeverity info
$InputRunFileMonitor
Wahyu Kurniawan
Wahyu Kurniawan
Sam Heuchert
Wahyu Kurniawan
Wahyu Kurniawan
Wahyu Kurniawan
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<local_ip>172.16.1.79</local_ip>
</remote>
Wahyu Kurniawan
Pedro Nicolás Gomez
Hi,
You can check if the manager is receiving the events by temporarily enabling the logall_json tag
logall_json: This option will let you see in /var/ossec/logs/archives/archives.json all the events that are being monitored by your manager.
To enable logall, go to the manager ossec.conf file and change:
<logall_json>no</logall_json>
to:
<logall_json>yes</logall_json>
Restart the manager-
All logs received in the manager will be stored in the file /var/ossec/log/archives/archives.log or /var/ossec/log/archives/archives.json depending on the format you want to view.
After restarting the Wazuh Manager service, we should start seeing some log entries in the archives.json file:
cat /var/ossec/logs/archives/archives.json
More info can be found here:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json
Wahyu Kurniawan
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<local_ip>172.16.1.79</local_ip>
</remote>
is there something that I missing? FYI wazuh installed using All-in-one environment.
Pedro Nicolás Gomez
Hi,
I don't have a watchguard device so I'm going to simulate this using the command:
echo "log test" | nc -v -w 0 "ip" port
Basically this would be the step by step procedure:
1- Configure wazuh-manager to collect syslog events by modifying the ossec.conf file
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.0.233</allowed-ips> < -– ip of your network device
</remote>
Also, enable logall_json,
change:
<logall_json>no</logall_json>
to:
<logall_json>yes</logall_json>
And
Restart the manager-
2- Here you must configure your watchguard device to send syslog to wazuh-manager
3- From another PC (192.168.0.233), I run nc (pretending to be watchguard) and send a log to wazuh-manager
echo "[2022-09-22T10:01:33,565][INFO][srcip] [node-1] Testing syslog connection" | nc -v -w 0 "192.168.0.252" 514
4- I check if the event has reached wazuh-manager: for this I look in the file /var/ossec/log/archives/archives.json and extract the event
{"timestamp":"2022-09-22T13:07:59.761+0000","rule":{"level":5,"description":"INFO: Testing syslog connection.","id":"110001","firedtimes":2,"mail":false,"groups":["custom","authentication_failed"],"pci_dss":["10.2.4","10.2.5"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1663852079.2707","full_log":"[2022-09-22T10:01:33,565][INFO][srcip] [node-1] Testing syslog connection","decoder":{"name":"custom-decoder"},"data":{"srcip":"srcip","timestamp":"2022-09-22T10:01:33,565","level":"INFO","node":"node-1","msg":" Testing syslog connection"},"location":"192.168.0.233"}
5- Using the full-log field
[2022-09-22T10:01:33,565][INFO][srcip] [node-1] Testing syslog connection
I create in the file /var/ossec/etc/decoders/local_decoder.xml a decoder according to my needs
<decoder name="custom-decoder">
<prematch type="pcre2">\[.+\]\[.+\]\[.+\] \[.+\].+</prematch>
</decoder>
<decoder name="custom-decoder-ch">
<parent>custom-decoder</parent>
<regex type="pcre2">\[(.+)\]\[(.+)\]\[(.+)\] \[(.+)\](.+)</regex>
<order>timestamp,level,srcip,node,msg</order>
</decoder>
in the file /var/ossec/etc/rules/local_rules.xml I create the necessary rules
<group name="custom,">
<rule id="110001" level="5">
<decoded_as>custom-decoder</decoded_as>
<field name="level">INFO</field>
<description>$(level): $(msg).</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
Restart the manager-
6- I use wazuh-logtest tool to test the decoder and the rules.
/var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.6
Type one log per line
[2022-09-22T10:01:33,565][INFO][srcip] [node-1] Testing syslog connection
**Phase 1: Completed pre-decoding.
full event: '[2022-09-22T10:01:33,565][INFO][srcip] [node-1] Testing syslog connection'
**Phase 2: Completed decoding.
name: 'custom-decoder'
level: 'INFO'
msg: ' Testing syslog connection'
node: 'node-1'
srcip: 'srcip'
timestamp: '2022-09-22T10:01:33,565'
**Phase 3: Completed filtering (rules).
id: '110001'
level: '5'
description: 'INFO: Testing syslog connection.'
groups: '['custom', 'authentication_failed']'
firedtimes: '1'
mail: 'False'
pci_dss: '['10.2.4', '10.2.5']'
**Alert to be generated.
7- I repeat step 3:
From another PC (192.168.0.233) I run nc (pretending to be watchguard) and send a log to wazuh-manager
echo "[2022-09-22T10:01:33,565][INFO][srcip] [node-1] Testing syslog connection" | nc -v -w 0 "192.168.0.252" 514
and we see on the dashboard how the corresponding alert was generated.
Wahyu Kurniawan
Sam Heuchert
Wahyu Kurniawan
Wahyu Kurniawan
<connection>syslog</connection>
<port>514</port>
<allowed-ips>192.168.1.217</allowed-ips>
</remote>
Wahyu Kurniawan
I forgot to added my log from watchguard
2022-09-28T08:24:42.000Z 192.168.1.79 80BD0878F0D33 (2022-09-28T08:24:42) firewall: msg_id="3000-0148" Deny 0-SSL-VPN 2-Trusted-GBW 52 tcp 20 127 192.168.190.22 192.168.1.22 55741 7680 offset 8 S 2452247290 win 64240 src_user="wkur...@gapbuster.com" (Unhandled External Packet-00)
