Apache log forward using rsyslog in centos 7 to wazuh
162 views
Skip to first unread message
Milan Patel
Jan 17, 2023, 1:16:21 PM1/17/23
to Wazuh mailing list
Hello,
How can I forward apache logs from centos 7 using rsyslog to wazuh. I do not wanna use agent at this moment. Is there any way to do this ?
Also how to integrate snort on wazuh ?
thanks,
Kevin Ledesma
Jan 17, 2023, 3:09:08 PM1/17/23
to Wazuh mailing list
Hello! How you doing?
To forward the Apache logs to Wazuh using rsyslog you have to:
- Install rsyslog if its not installed yet: yum install rsyslog
- Configure the Apache and edit the file /etc/rsyslog.conf to capture the logs you want to forward: follow this guide. (In the step 4 of the section Forward Apache Web Server Access Logs you must set the wazuh-server IP. Eg: local6.notice @@WAZUH_SERVER_IP:514)
About the snort integration. You can get the snort logs by using the localfile tag on the wazuh-agent/manager ossec.conf (you must have a wazuh-agent or the manager installed on the machine where you have configured snort)
- Edit the ossec.conf file adding the localfile tag to catch snort logs:<localfile><log_format>snort-full</log_format><location>YOUR_SNORT_LOG_PATH</location></localfile>
- Restart wazuh-agent (or manager) and you should be receiving the snort logs on wazuh
Best regards.
Milan Patel
Jan 18, 2023, 1:51:01 PM1/18/23
to Wazuh mailing list
Thank you so much. I can see the logs on wazuh manager on terminal side in /var/ossec/logs/archives/archives.log but do not see it on wazuh gui under security event >> dashboard ? could you please help me with that? thanks in advance.
Kevin Ledesma
Jan 19, 2023, 7:03:51 AM1/19/23
to Wazuh mailing list
Hello!
Thats because the log does not match any existent rule or there is no decoder for that log format, could you share the logs you are receiving in archives.log?
Probably you will have to create your own rule to match that log, check this guide it may help you. also there is another conversation with a similar issue (not exactly the same but it could give you an idea)
Regards!
Milan Patel
Jan 19, 2023, 12:00:31 PM1/19/23
to Wazuh mailing list
Thanks for the reply.
Here is the output of the archives.log file
[root@wazuh-server archives]# cat archives.log | grep "admin.php"
2023 Jan 19 16:57:03 centos-abcdefg-test->/var/log/messages Jan 19 11:57:03 centos-abcdefg-test httpd: 10.10.39.62 - - [19/Jan/2023:11:57:03 -0500] "GET /admin.php HTTP/1.1" 404 207
2023 Jan 19 16:57:03 centos-abcdefg-test->/var/log/messages Jan 19 11:57:03 centos-abcdefg-test httpd: 10.10.39.62 - - [19/Jan/2023:11:57:03 -0500] "GET /admin.php HTTP/1.1" 404 207
Also why does in the first it shows different time zone where I have ETC time zone set as you can see in second time.
is it level 1 or 2 alert ?
Kevin Ledesma
Jan 27, 2023, 11:17:33 AM1/27/23
to Wazuh mailing list
Hello! I just responded you but the message is not showing so, sorry if you get a repeated answer
About the logs timestamps, the first time is you manager's time when the event is received, the following times are your client's time when the log was created, to be sure, check the timezones in both systems using the command: ls -l /etc/localtime
The alert in the conversation is a level 6 alert, you can see it on the opening tag:
<rule id="100008" level="6" frequency="3" timeframe="10">
You can learn more about rules by checking this documentation
Regards!
Reply all
Reply to author
Forward
0 new messages