Syslog SonicWall URGENT

[Bruno OL-Tecnologia]

Dear,

I need to collect syslog from a sonicwall firewall URGENT, I need the help of someone who has already worked this type of integration with wazuh!

Can someone help me?

I made this configuration, but I don't know if I need to do anything else?

Where do I see the logs arriving at wazuh, kibana, etc?   

My ossec.confg

<remote>
    <connection> secure </connection>
    <port> 1514 </port>
    <protocol> tcp </protocol>
    <allowed-ips> 192.168.0.0/24 </allowed-ips>
    <allowed-ips> 10.160.0.0/12 </allowed-ips>
    <allowed-ips> 172.16.0.0/12 </allowed-ips>
    <allowed-ips> 177.190.199.0/12 </allowed-ips>
    <local_ip> 172.16.0.190 </local_ip>
    <queue_size> 131072 </queue_size>
  </remote>
   <remote>
    <connection> syslog </connection>
    <port> 514 </port>
    <protocol> udp </protocol>
    <allowed-ips> 192.168.0.0/24 </allowed-ips>
    <allowed-ips> 10.160.0.0/12 </allowed-ips>
    <allowed-ips> 172.16.0.0/12 </allowed-ips>
    <allowed-ips> 177.190.199.0/12 </allowed-ips>
    <local_ip> 172.16.0.190 </local_ip>

/app/wazuh#/manager/?tab=logs

What would these alerts be?

  </remote>Apr 20, 2021 @ 11: 01: 07.000 ossec-remoted WARNING Too big message size from 172.16.0.190 [36].
Apr 20, 2021 @ 11: 01: 07.000 ossec-remoted WARNING Too big message size from 172.16.0.190 [36].
Apr 20, 2021 @ 11: 01: 02.000 ossec-remoted WARNING Too big message size from 172.16.0.190 [36].
Apr 20, 2021 @ 11: 01: 02.000 ossec-remoted WARNING Too big message size from 172.16.0.190 [36].
Apr 20, 2021 @ 11: 01: 02.000 ossec-remoted WARNING Too big message size from 172.16.0.190 [36].
Apr 20, 2021 @ 11: 01: 02.000 ossec-remoted WARNING Too big message size from 172.16.0.190 [36].
Apr 20, 2021 @ 11: 01: 02.000 ossec-remoted WARNING Too big message size from 172.16.0.190 [36].
Apr 20, 2021 @ 11: 01: 02.000 ossec-remoted WARNING Too big message size from 172.16.0.190 [36].

[Juan Carlos]

Hello Bruno,

The secure protocol can only be used by Wazuh agents, so I believe you do not wish to modify the original configuration which stated:

<remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>

    <queue_size>131072</queue_size>
</remote>

Instead, if you wish to collect logs from network devices using syslog with some of them using UDP at the default syslog port (514) and others using TCP with a different port then the correct configuration will be:
<remote>
    <connection>syslog</connection>
    <port>513</port>

    <protocol>tcp</protocol>
    <allowed-ips>192.168.0.0/24</allowed-ips>
    <allowed-ips>10.160.0.0/12</allowed-ips>
    <allowed-ips>172.16.0.0/12</allowed-ips>
    <allowed-ips>177.190.199.0/12</allowed-ips>
    <local_ip>172.16.0.190</local_ip>

</remote>

<remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>192.168.0.0/24</allowed-ips>
    <allowed-ips>10.160.0.0/12</allowed-ips>
    <allowed-ips>172.16.0.0/12</allowed-ips>
    <allowed-ips>177.190.199.0/12</allowed-ips>
    <local_ip>172.16.0.190</local_ip>

</remote>

Also, be careful not to leave any spaces between the tags and their values.

Let me know if you have any other questions we can help with.

Best Regards,

Juan Carlos Tello

[Rafael Antonio Rodriguez Otero]

Also consider testing to see if the message gets through. activate the archies.log from ossec.conf and then with a "tail -f /var/ossec/log/archives/archives.log" | grep 192.168.0 "you can see if the information is arriving

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/94e88401-ff19-4144-b42c-dbbe93faf563n%40googlegroups.com.