best way to forward to another SIEM?

[Kat]

I have a team with another SIEM - fed mostly by syslog feeds. 

I would like to send them a feed of all the remote logging coming in. 

Sure, I know I can do that with syslog_output, but here is the tricky(?) part.

Need to send via encrypted syslog over TCP. 

My thought was to set rsyslog to listen on localhost, feed that with wazuh using syslog_output and then set rsyslog to forward all the "remote" date to the other SIEM vian the TCP connection. 

Thoughts/comments? Seems reasonable, but maybe I am missing something or adding an extra step??

-Kat

[migue...@wazuh.com]

Hi Kat,

Sorry for the really long reply.

This makes sense. Currently, the Wazuh Manager can forward the logs via UDP syslog but not via TCP+TLS. In that case as you say you can configure rsyslog to receive the events from syslog_output via localhost only, and then rsyslog will forward the events to the SIEM via TCP+TLS, consider the following rsyslog configuration:

$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 6514


if ($programname == 'ossec') and ($msg startswith ' Alert Level:') then {
  $DefaultNetstreamDriverCAFile /etc/ssl/rootCA.pem
  action(type="omfwd" Protocol="tcp" Target="10.0.0.1" Port="6514" StreamDriverMode="1" StreamDriver="gtls" StreamDriverAuthMode="anon")
  stop
}

The Wazuh syslog_output section should look like the following:

<syslog_output>
  <server>127.0.0.1</server>
  <port>6514</port>
</syslog_output>

I hope it helps.

Best Regards,