Remote Syslog

[Security One]

Hello Everyone - We are noticing that when we add the remote syslog port information in ossec.conf, remote syslog works, but our agents stop communicating. We've configured the ossec.conf file with the below:

<remote>

<connection>syslog</connection> 

<port>513</port>

<protocol>tcp</protocol>

<allowed-ips>192.168.2.0/24</allowed-ips> 

</remote> 

If we remove the syslog information and re add the default secure information below, the agents start communicating, but remote syslog breaks.

<remote>

<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>

</remote>

How do we get both to work at the same time?

[Emiliano Zorn]

Hello team!

Thanks for contacting us.

To help you solve this problem you will need to answer the following questions, so I can have more information about what is happening.

• What type of environment are you using? Do you have one manager or several?
• How do you deduce that Syslog stops working?
• Can you attach the ossec.log file data for both the manager and the agent?

Remember that to configure Remote Syslog you will have to add the following configuration block to the /var/ossec/etc/ossec.conf file of your wazuh-manager (replacing PORT, PROTOCOL and X.X.X.X/X with your corresponding information).

<remote>

<connection>syslog</connection>

<port>PORT</port>

<protocol>PROTOCOL</protocol>

<allowed-ips>X.X.X.X/X</allowed-ips>

</remote>

After this, you will have to restart the wazuh-manager:

systemctl restart wazuh-manager

If the configuration is correct, by typing the command:

netstat -tunap | grep wazuh 

You can check that the connection for that port and protocol has been opened (in my case 513/TCP to listen remote syslog).

# netstat -tunap | grep wazuh

tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN

2665/wazuh-remoted

tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN

2664/wazuh-remoted

tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN

2557/wazuh-authd

Remote syslog is working now under wazuh-remoted

Then you will need to send the logs/events through remote syslog using the specified port and protocol. 

If you want to check if the manager is receiving the events, you can activate the event logging of the manager and see all the events received (temporarily to avoid unnecessary disk usage and storage).

To do this, edit the /var/ossec/etc/ossec.conf configuration file of your wazuh-manager and change:

<logall>no</logall>

to

<logall>yes</logall>.

After this, you will have to restart the wazuh-manager.

systemctl restart wazuh-manager

And from now on all received events will be stored in the /var/ossec/logs/archives/archives.log file.

You can search here for new events/logs that you send via remote syslog or use commands like:

tail -f /var/ossec/logs/archives/archives.log 

To see the events received in real-time.

• In case you receive the events, Wazuh has a default Check Point decoder and rule.  You may need to create decoders and/or rules to generate the alerts according to your needs.
• In case you do not receive the events, check that you have connectivity between your devices and the wazuh-manager by the established port and protocol. Check that there is no firewall or configuration blocking that port.

Regards.

[Security One]

I figured it out. I didn't know I had to just add a separate <remote> block instead of adding it within the same one. Thanks!

[Emiliano Zorn]

That's great! Thanks for letting us know.

Have a great day!