Wazuh Collect log from remote Rsyslog Server

[Alain Kabwe]

Hi all

I have configured a Wazuh Manager on CentOS 7 and agents on CentOS 6 and 7, Red Hat, Oracle Linux and Ubuntu and everything is working normally. I also have in my network many routers, swithes and firewall. These network devices send their log to a well-configured Rsyslog server and everything works normally. What I would like now is that the Wazuh manager retrieves the logs on the Rsyslog server which is on another server so that I can read them via Kibana. I hope my message is clear and help will be given

[Juan Carlos]

Hello Alain,

You can configure rsyslog to forward these messages to the Wazuh Manager and the manager to listen at a port for syslog messages.

Or if you have a wazuh-agent in the rsyslog server you could specify in its configuration for it to monitor an output file of the rsyslog.

In order to have rsyslog forward all messages over the network you must include

*.* @@remote-host:514

in /etc/rsyslog.conf (changing remote-host to your Wazuh Manager's IP).

And add the following to the manager's /var/ossec/etc/ossec.conf:

<ossec_config>
  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>rsyslog-host</allowed-ips>
  </remote>
</ossec_config>

Where rsyslog-host is the IP of the Rsyslog server.

To configure log collection by the agent you may see several examples here in the documentation:

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html

Best Regards,

Juan Carlos Tello

[Alain Kabwe]

Thanks Juan, 

How can I do for this "Or if you have a wazuh-agent in the rsyslog server you could specify in its configuration for it to monitor an output file of the rsyslog"???

[Juan Carlos]

Hello Alain,

Sorry I wasn't clear about the second option.

In order to monitor any logfile, in this case the output of rsyslog you can use the Log collection capability.

A simple configuration would be on the agent's /var/ossec/etc/ossec.conf adding:

<ossec_config>
 <localfile>
 <location>/var/log/example.log</location>
 <log_format>syslog</log_format>
 </localfile>
</ossec_config>
where you can change /var/log/example.log to the output of rsyslog

More information on this capability is in the documentation: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html

Alternatively you can do this change remotely from the manager by adding the agent to a group and changing the shared configuration for that group to include that configuration.

More information about this can be consulted in this part of the documentation: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html

But in summary you could run from the manager:

/var/ossec/bin/agent_groups -a -g rsyslogserver
/var/ossec/bin/agent_groups -a -i <AGENT-ID> -g rsyslogserver

where <AGENT-ID> is the ID number of the rsyslog server

And then add the same configuration as before to the /var/ossec/etc/shared/rsyslogserver/agent.conf

I hope this helps,

Best Regards,

Juan Carlos Tello