Syslog from PFsense and other network devices

[Shaun Ludwig]

Hi All

I have a single node Opendistro host with Wazuh 4.2.1. Could anyone point me in the right direction for collecting syslog from my Pfsense device and what my ossec.conf file should look like? 

If I try the changing the connections tab from "secure" to "syslog" in my ossec.conf along with some other info as in the documentation at - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog then my wazuh manager will not restart. 

Looking forward to your response 

Thanks

Shaun

[Jonathan Martín Valera]

Hi,

In this case, you don’t have to change the “secure” block but add a new one for syslog. It would be something like the following:

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <remote>
    <connection>syslog</connection>
    <port>513</port>
    <protocol>tcp</protocol>
    <allowed-ips>192.168.2.0/24</allowed-ips>
  </remote>

Note: The values of these fields may not match your use case, this is only an example.

After applying this configuration and restarting the wazuh-manager service (systemctl restart wazuh-manager), your manager should receive logs via remote syslog. You can check that the manager is listening on the port indicated for remote syslog with (in my case for port 513/TCP)

root@manager:/home/vagrant# netstat -tunap | grep wazuh
tcp        0      0 0.0.0.0:513             0.0.0.0:*               LISTEN      2641/wazuh-remoted  
tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      2640/wazuh-remoted  
tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      2533/wazuh-authd

In this case, the wazuh-manager listens on 3 different ports:

• 513/TCP for remote syslog.
• 1514/TCP for agent connections (secure block that you don’t have to remove)
• 1515/TCP for agent logging.

To verify that the manager is receiving the events, then you will have to enable event logging in the wazuh-manager by editing the following in the /var/ossec/etc/ossec.conf file of the wazuh-manager:

<logall>no</logall>

to

<logall>yes</logall>

and then, restart the wazuh-manager

systemctl restart wazuh-manager

From now on, every event received by the manager will be logged in the /var/ossec/logs/archives/archives.log file.

You can check if your wazuh-manager is receiving any specific event, filtering by IP, or whatever you want.

grep <IP or string identifier> /var/ossec/logs/archives/archives.log

Note: Remember to disable the logall option in the ossec.conf file (and restart the wazuh-manager to apply the changes) when you no longer need it, to avoid unnecessary disk usage.

Once you have verified that the manager is receiving the events sent with remote syslog, then you will have to check if there are decoders and rules for the logs you want (necessary to be able to generate alerts if needed).

Below are links to documentation that may be of interest to you.

• Remote syslog configuration: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#remote-syslog
• How to configure Rsyslog client to send events to Wazuh (blogpost): https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
• <remote> configuration block: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html
• Creating decoders and rules from scratch: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
• Sibling decoders: flexible extraction of information: https://wazuh.com/blog/sibling-decoders-flexible-extraction-of-information/
• Custom rules and decoders: https://documentation.wazuh.com/4.0/user-manual/ruleset/custom.html
• Testing decoders and rules: https://documentation.wazuh.com/4.0/user-manual/ruleset/testing.html

Best regards.

​