Syslog not working - Wazuh Docker Container

[Flavio Malaquias]

Hi you all !

I hope you are doing good.

I am trying to enable the syslog in my wazuh environment, but I am not getting the logs.

I edited the ossec.conf in with the following.

<remote>

<connection>syslog</connection>

<port>514</port>

<protocol>udp</protocol>

<allowed-ips>10.1.0.0/16</allowed-ips>

<local_ip>10.1.3.16</local_ip>

</remote>

I scanned the server with nmap, but the port is still closed.

nmap -sU -O 10.1.3.16 -p 514

PORT STATE SERVICE

514/udp closed syslog

Any thoughts about this situation ?

Thank you

[Tomas Benitez Vescio]

Hi, 

Thanks for using Wazuh!

Just to be sure, did you restart the Wazuh instance after modifying ossec.conf? Other than that your configuration seems to be correct (if you would want to see and example on how to setup this feature on Wazuh you can see it here). One thing you could try is removing the "local_ip" property from the remote tag, this way it would default to using all interfaces in case the error has something to do with the docker network.

Regards.

[Flavio Malaquias]

Hi Tomas, 

I removed the tag <local_ip> and now the nmap scan is showing me that the 514 port is open/filtred, still not working.

I am trying to collect logs from my network switches,  is this the right way to do this ? or  should I use other tool like graylog.

thanks for the help.

[Tomas Benitez Vescio]

As long as the devices you are trying to use support syslog and are configure correctly to forward logs to the Wazuh instance you should be able to receive logs. Could you confirm that you configured the devices syslog capabilities?

Regards.