Akamai dnsi cacheserve 7.6.1.0 integration with wazuh

66 views
Skip to first unread message

Gokul Suresh

unread,
Oct 9, 2024, 1:54:37 AM10/9/24
to Wazuh | Mailing List
Hello,
I am new to wazuh and I have a task to integrate Akamai dnsi cacheserve with wazuh.
Could someone help with the integration steps needed to send logs in syslog format from Akamai dnsi cacheserve to Wazuh.
I could not find anything worthy enough to do my task. 

Md. Nazmur Sakib

unread,
Oct 9, 2024, 2:34:27 AM10/9/24
to Wazuh | Mailing List

Hi Gokul Suresh, If your integrate Akamai dnsi cacheserver has remote syslog log forwarding capability you can follow these to forward your log to Wazuh.

The Wazuh server can collect logs via syslog from endpoints.

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html


There is also the option to forward the logs to an agent and ingest the logs by using Rsyslog for Linux endpoints and Logstash for Windows endpoints. You can find more information on this in the documentation:

https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html


I will suggest using the Rsyslog method. Rsyslog is more scalable and reliable

Now check if those logs from the network devices are properly forwarded to Wazuh.

For this, You can try the following steps:


For this, you can enable archive JSON format log from your manager's ossec.conf


<ossec_config>

  <global>

___________________

    <logall_json>yes</logall_json>

_______________


After making the changes make sure to restart the manager.



We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis, one of the archives.json events should look like this (the field of interest is in bold):

{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log

":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower'","predecoder"{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}


Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.

Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json

ook for if there are any logs inside the archive log which is relevant. Use grep parameters related to the log.


cat /var/ossec/logs/archives/archives.json | grep Keywoard




Test those logs using log-test to find out if logs are decoded by decodes and rules.

Check this document to get help with the logtest tool.

https://documentation.wazuh.com/current/user-manual/ruleset/testing.html


If the logs are not tripped by decoders and rules you need to write custom rules for that

Check the document to get help with writing custom rules

https://documentation.wazuh.com/current/user-manual/ruleset/index.html


Let me know the update on the issue.

Gokul Suresh

unread,
Oct 10, 2024, 1:01:05 AM10/10/24
to Wazuh | Mailing List

Thank you  Md. Nazmur Sakib, I will try this out and let you know.
Reply all
Reply to author
Forward
0 new messages