Remote syslog

[Donatas Kalvaitis]

Hello, wazuh does not accept syslog messages. I mage changes as said ...

Receiving syslog logs in a custom portPermalink to this headline

Configure Wazuh as follows to receive logs in a given port:

<ossec_config> <remote> <connection>syslog</connection> <port>513</port> <protocol>tcp</protocol> <allowed-ips>192.168.1.0/24</allowed-ips> </remote> </ossec_config> 

No logs info

Apr 27, 2023 @ 23:17:59.000 wazuh-remoted INFO Remote syslog allowed from: '192.168.1.0/24' Apr 27, 2023 @ 23:17:59.000 wazuh-remoted INFO Started (pid: 4380). Listening on port 514/TCP (syslog). Apr 27, 2023 @ 23:17:59.000 wazuh-remoted INFO Started (pid: 4379). Listening on port 1514/TCP (secure).

I've send from two different apps - nothing. Any help?

[Francisco Tuduri]

Hello Donatas!

The configuration seems to be ok.

The messages received through syslog are not logged on the default logging level (INFO).
So in order to see some activity in the log when the manager receives data through this connection you will have to change the logging level for remoted.

To do that, you need to add this line:

remoted.debug=2

to this file /var/ossec/etc/local_internal_options.conf. And then restart the manager.

You can see the documentation for this option here: https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#remoted

Then repeat the test sending data to that connection.
You should see log entries similar to this (with the proper IP):

2023/04/27 18:08:19 wazuh-remoted[1511505] syslogtcp.c:111 at HandleClient(): DEBUG: Received 26 bytes from '127.0.0.1'

Let me know how it goes.

Regards!

[Donatas Kalvaitis]

Hello Francisco,

Nothing :(

Please see recording -  https://filetransfer.io/data-package/fzkDnQl6#link

[Francisco Tuduri]

Hello Donatas!

I'm afraid the log I showed you on the previous message is only available when the connection is TCP. I checked and there is no log event on ossec.log for received UDP messages.

There are two ways we can check if you are receiving the syslog messages.

1-Enable logall options and check archives.json:

• In ossec.conf set logall_json to yes: <logall_json>yes</logall_json>
  • This will save every received event on /var/ossec/logs/archives/archives.json
  • After performing these tests you should set it back to no.
    
• Restart the manager
• Send some logs to the manager with the MegaLog Syslog Sender.
• Check if there are any SyslogSender events on /var/ossec/logs/archives/archives.json. You can use this command:
  
  • cat /var/ossec/logs/archives/archives.json | grep SyslogSender
    
• In my environment, I see events like this one:
  

{"timestamp":"2023-04-28T13:55:03.229-0300","agent":{"id":"000","name":"ft-nb"},"manager":{"name":"ft-nb"},"id":"1682700903.1108779","full_log":"1 2023-04-28T16:53:20Z Rex SyslogSender 007 613 - This is a test generated by MegaLog Syslog Test Sender V2.0","decoder":{},"location":"192.168.31.170"}

• You should see similar events.

2-Add custom decoder and rules to generate alerts.

• To see the events on the dashboard they have to trip some rule, so we can add a test custom decoder and a test custom rule to achieve that.
• Add the following decoder to local_decoder.xml:

<decoder name="SyslogSender">
  <prematch>SyslogSender</prematch>
</decoder>

• Add the following decoder to local_decoder.xml:

<group name="syslog">
  <rule id="100999" level="5">
    <decoded_as>SyslogSender</decoded_as>
    <description>SyslogSender event</description>
  </rule>
</group>

• Remember to save the changes (on both files) and restart the manager.
• Send some logs to the manager with the MegaLog Syslog Sender.
• You should see some alerts for rule 100999 on the Dashboard.

Let me know if you have any problems with these steps.

Regards!

[Donatas Kalvaitis]

Hello, I have tried second option. It works, thank you. 

[Francisco Tuduri]

That's great to hear!

Have a nice weekend!