Checkpoint firewall integration with Wazuh

2,944 views
Skip to first unread message

Abhijit Sarwade

unread,
Feb 3, 2022, 3:20:10 AM2/3/22
to Wazuh mailing list
Recently we tried to integrate checkpoint firewall log (smart console) via rsyslog as per the procedure mentioned @ https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html.  but no luck.  We are not able to see syslog in manager.  can you help.

Jonathan Martín Valera

unread,
Feb 3, 2022, 3:47:08 AM2/3/22
to Wazuh mailing list

Hello,

Ok, let’s see what could be the problem you are having.

First of all, I refer you to the configuration you need to set in the wazuh-manager to be able to receive the events via remote syslog https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog

Basically, you will have to add the following configuration block to the /var/ossec/etc/ossec.conf file of your wazuh-manager (replacing PORT, PROTOCOL and X.X.X.X/X with your corresponding information).

  <remote>
    <connection>syslog</connection>
    <port>PORT</port>
    <protocol>PROTOCOL</protocol>
    <allowed-ips>X.X.X.X/X</allowed-ips>
  </remote>

After this, you will have to restart the wazuh-manager.

systemctl restart wazuh-manager

If the configuration is correct, by typing the command netstat -tunap | grep wazuh you can check that the connection for that port and protocol has been opened (in my case 513/TCP to listen remote syslog).

# netstat -tunap | grep wazuh

tcp        0      0 0.0.0.0:513             0.0.0.0:*               LISTEN      2665/wazuh-remoted  
tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      2664/wazuh-remoted  
tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      2557/wazuh-authd

Now what you will have to do is to send the logs/events through remote syslog using the specified port and protocol. If you want to check if the manager is receiving the events, you can activate the event logging of the manager and see all the events received (temporarily to avoid unnecessary disk usage and storage).

To do this, edit the /var/ossec/etc/ossec.conf configuration file of your wazuh-manager and change <logall>no</logall> to <logall>yes</logall>.

After this, you will have to restart the wazuh-manager.

systemctl restart wazuh-manager

And from now on all received events will be stored in the /var/ossec/logs/archives/archives.log file. You can search here for new events/logs that you send via remote syslog or use commands like tail -f /var/ossec/logs/archives/archives.log to see the events received in real-time.

  • In case you receive the events, you will probably have to create decoders and/or rules to generate the alerts according to your needs.

  • In case you do not receive the events, check that you have connectivity between your devices and the wazuh-manager by the established port and protocol. Check that there is no firewall or configuration blocking that port.

I hope you find this information useful. Try it and let us know the results.

Regards.

Abhijit Sarwade

unread,
Feb 3, 2022, 7:01:22 AM2/3/22
to Wazuh mailing list
Hi Jonathan, thanks for quick response highly appreciated. Still we are not seeing logs. is it possible to forward us complete procedure that needs to be followed at checkpoint, rsyslog and Wazuh manager. 

More details : ( checkpoint --> rsyslog --> Wazuh Manager)
- We have configure checkpoint to  forward logs to rsyslog (configured on seperate ubantu machine) 
- Tested using tcpdump ..we are receiving logs to rsyslog. 
- Configured rsyslog to receive syslog events and enable the TCP or UDP settings by editing /etc/rsyslog.conf.
- Configured rsyslog to forward events to a file by editing /etc/rsyslog.conf.
- Deployed a Wazuh agent on the same host that has rsyslog.
- Configured the agent to read the syslog output file by editing /var/ossec/etc/ossec.conf.

Above step we have  taken but no luck. Could you help with detail procedure that we need to follow.

Jonathan Martín Valera

unread,
Feb 4, 2022, 5:29:49 AM2/4/22
to Wazuh mailing list

As I understand, you have a check-point firewall that is sending the logs/events (using remote-syslog?) to a server, and from here you want to send those events/logs to the wazuh-manager via remote-syslog, right?

Here you can do several things:

  • (1). Have the firewall send the events/logs directly to the wazuh-manager using remote-syslog (without going through the Ubuntu server you mentioned).
  • (2). Have the firewall send the events/logs to the Ubuntu server, have the Ubuntu server write everything to a log file, and monitor that file with a wazuh-agent (using the log data collection capability https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html)
  • (3). Have the firewall send the events/logs to the Ubuntu server and have the Ubuntu server forward them to the wazuh-manager via remote-syslog (without using a wazuh-agent).

I see that you are trying to mix (2) and (3), and that may not work correctly.

Some considerations to take into account:

  • If you only need the wazuh-manager to process firewall events/logs via remote-syslog, then the most efficient would be (1), unless for some reason you want it to log to the Ubuntu server first.

  • If you want to use (2), then you do not need to configure the wazuh-manager to listen to remote-syslog requests, since the wazuh-agent uses a different communication path with the wazuh-manager (1514/TCP).

  • You just need to configure the wazuh-manager to listen for requests via remote-syslog in case you use (1) or (3).

Regarding the details you comment:

  • If you use (1), check with TCPDUMP that the wazuh-manager host is receiving the information on the specified port. Then verify that the wazuh-manager logs the events as I told you in yesterday’s comment.
  • If you use (2), check that the events/logs that the Ubuntu server is receiving, are being written correctly to the file you want to monitor with the wazuh-agent.
  • If you use (3) check with TCPDUMP both in the Ubuntu server host and in the wazuh-manager the events/logs are being received. You need to find out where it is failing.

Let me know which case you want to perform, and check that in any case the firewall correctly sends the events/logs to the Ubuntu server host, and that it correctly writes it to a file (contained by the Ubuntu server) or correctly forwards it back to the wazuh-manager host. Having confirmed all this, we can focus exclusively on the configuration of your wazuh-manager (and/or wazuh-agent in case (2)).

I also recommend you to take a look at this article https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/

Regards.

Abhijit Sarwade

unread,
Feb 7, 2022, 1:52:26 AM2/7/22
to Jonathan Martín Valera, Wazuh mailing list
Thanks Jonathan, issue is fixed now. Appreciate your help..!!!

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/qKjz0KpfV90/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e20a2e07-01e9-4496-b81e-26447222bf80n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages