WAZUH rsyslog not showing
509 views
Skip to first unread message
Milan Patel
Mar 29, 2023, 11:19:33 AM3/29/23
to Wazuh mailing list
Hello Wazuh,
I forwarded rsyslog from my firewall to wazuh on 514 port but do not see anything on wazuh dashboard.
I do not want to use agent at this moment to do this.
How can I also check even logs from my pfsense fw is coming to wazuh or not ?
How can I also check even logs from my pfsense fw is coming to wazuh or not ?
When I checked this
cat /var/ossec/logs/ossec.log |
grep -i -E "error|warn"
- getting this error
2023/03/29 10:05:05 wazuh-remoted: WARNING: (1213): Message from '172.16.1.1' not allowed. Cannot find the ID of the agent.
2023/03/29 10:05:05 wazuh-remoted: WARNING: (1213): Message from '172.16.1.1' not allowed. Cannot find the ID of the agent.
2023/03/29 10:05:05 wazuh-remoted: WARNING: (1213): Message from '172.16.1.1' not allowed. Cannot find the ID of the agent.
2023/03/29 10:05:05 wazuh-remoted: WARNING: (1213): Message from '172.16.1.1' not allowed. Cannot find the ID of the agent.
2023/03/29 10:05:05 wazuh-remoted: WARNING: (1213): Message from '172.16.1.1' not allowed. Cannot find the ID of the agent.
Francisco Tuduri
Mar 29, 2023, 11:36:41 AM3/29/23
to Wazuh mailing list
Hello Milan!
That message means that the syslog messages are arriving at the Wazuh Server, but they are being rejected because they are coming from an unknown IP.
<ossec_config>
<remote>
<connection>syslog</connection>
<port>513</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.0/24</allowed-ips>
</remote>
</ossec_config>
Let me know if this solves your issue.
Regards!
That message means that the syslog messages are arriving at the Wazuh Server, but they are being rejected because they are coming from an unknown IP.
You should add the <allowed-ips> option to the <remote> configuration with the IP 172.16.1.1.
Remember to restart the manager after making this changes.
Check the example on this guide: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog
<remote>
<connection>syslog</connection>
<port>513</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.0/24</allowed-ips>
</remote>
</ossec_config>
Let me know if this solves your issue.
Regards!
Milan Patel
Mar 29, 2023, 11:51:12 AM3/29/23
to Wazuh mailing list
Thanks Issue got resolved.
I do have one more question regarding the logs.
I forwarded logs from the firewall to my wazuh. I have added IP to allowed ips but still do not see any single alert/event on wazuh dashboard.
Could you help me to troubleshoot that ? where am I making mistake?
Thanks,
Milan Patel
Milan Patel
Mar 29, 2023, 12:07:55 PM3/29/23
to Wazuh mailing list
There is one issue though ... The logs that I am forwarding has different IP 130.x.x.x where on the wazuh end it shows 172.16.1.1 why is that ?
But still logs are not showing up on the wazuh dashboard.
On Wednesday, March 29, 2023 at 11:36:41 AM UTC-4 Francisco Tuduri wrote:
Francisco Tuduri
Mar 29, 2023, 1:43:15 PM3/29/23
to Wazuh mailing list
On the dashboard you will only see the events that trip a rule. That is events that generate an alert.
From your previous messages we see that the logs from your firewall are reaching the manager so, most likely, the issue here is that the received events are either not being decoded correctly or they are not triggering any alerts.
The Wazuh ruleset includes rules and decoders for events coming from pfSense, but it is possible that they don't match exactly with your use case. In that case, new rules and decoders can be added.
To verify this you should do the following:
- Enable the logall_json option in the manager's configuration.
- Restart the manager.
- Allow some time for new logs from the firewall to arrive.
- In this file, you should search your pfSense events and gather the content of the field full_log. This field contains the raw log received by the Wazuh manager.
- You should test these raw logs against Wazuh's ruleset using wazuh-logtest tool (/var/ossec/bin/wazuh-logtest) to see if they are being decoded and if they are tripping any rule.
:/var/ossec# bin/wazuh-logtest
Starting wazuh-logtest v4.3.9
Type one log per line
Nov 8 12:37:34 pfSense filterlog: 5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17600,166
**Phase 1: Completed pre-decoding.
full event: 'Nov 8 12:37:34 pfSense filterlog: 5,,,1000102433,em0,match,block,in,4,0x0,,128,24677,0,none,17,udp,186,10.9.0.119,10.9.0.255,17500,17600,166'
timestamp: 'Nov 8 12:37:34'
hostname: 'pfSense'
program_name: 'filterlog'
**Phase 2: Completed decoding.
name: 'pf'
action: 'block'
dstip: '10.9.0.255'
dstport: '17600'
id: '1000102433'
length: '166'
protocol: 'udp'
srcip: '10.9.0.119'
srcport: '17500'
**Phase 3: Completed filtering (rules).
id: '87701'
level: '5'
description: 'pfSense firewall drop event.'
groups: '['pfsense', 'firewall_block']'
firedtimes: '1'
gpg13: '['4.12']'
hipaa: '['164.312.a.1']'
mail: 'False'
nist_800_53: '['SC.7']'
pci_dss: '['1.4']'
tsc: '['CC6.7', 'CC6.8']'
**Alert to be generated.
You should try that with the pfSense logs that you find in the archives.json file. Just with the content of the field full_log.
If the logs that you received are not decoded by the existing decoders you will need to create a custom decoder. And if the events don't trip any rule you will need to create custom rules to fit your needs.You can take a look at the following documents:
Regards!
Reply all
Reply to author
Forward
0 new messages