Best practice to manage syslog events?
47 views
Skip to first unread message
Xavier Mertens
Dec 24, 2024, 6:03:55 AM12/24/24
to Wazuh | Mailing List
Hi *,
I'm sending syslog events from multiple hosts to a Wazuh manager.
All events are linked to the "wazuh" agent (ID:000). Is there a way to rewrite/beautify events with their original source?
/x
Olamilekan Abdullateef Ajani
Dec 24, 2024, 7:38:52 AM12/24/24
to Wazuh | Mailing List
Hello,
From your query, It seem you integrated the log source directly to the Wazuh Manager, this is why the values for the agent field has wazuh-server, agent (000).
One way to solve this issue is by making use of RSYSLOG option, which means dedicating a server to act as a central log collection from all your event source (devices), and the wazuh agent installed will forward it to the wazuh manager.
rsyslog can be installed on the endpoint (rsyslog on linux, logstash on windows).
Once you have the wazuh agent installed on the rsyslog server, you could specify the configuration to monitor the output file of the rsyslog. rsyslog server collects logs from your endpoints and writes to a file.
A sample configuration would be to modify the agent ossec config file
/var/ossec/etc/ossec.conf (Linux)
C:\Program Files (x86)\ossec-agent\ossec.conf on Windows
<ossec_config>
<localfile>
<location>Directory-to-log-file/example.log</location>
<log_format>syslog</log_format>
</localfile>
</ossec_config>
The above reference is making use of wazuh log collection capability.
Hope this helps, please let me know if you require further assistance.
From your query, It seem you integrated the log source directly to the Wazuh Manager, this is why the values for the agent field has wazuh-server, agent (000).
One way to solve this issue is by making use of RSYSLOG option, which means dedicating a server to act as a central log collection from all your event source (devices), and the wazuh agent installed will forward it to the wazuh manager.
rsyslog can be installed on the endpoint (rsyslog on linux, logstash on windows).
Once you have the wazuh agent installed on the rsyslog server, you could specify the configuration to monitor the output file of the rsyslog. rsyslog server collects logs from your endpoints and writes to a file.
A sample configuration would be to modify the agent ossec config file
/var/ossec/etc/ossec.conf (Linux)
C:\Program Files (x86)\ossec-agent\ossec.conf on Windows
<ossec_config>
<localfile>
<location>Directory-to-log-file/example.log</location>
<log_format>syslog</log_format>
</localfile>
</ossec_config>
The above reference is making use of wazuh log collection capability.
Hope this helps, please let me know if you require further assistance.
Reference:
https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html
https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html
https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html
https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html
Xavier Mertens
Dec 27, 2024, 10:03:36 AM12/27/24
to Olamilekan Abdullateef Ajani, Wazuh | Mailing List
Thank you for the feedback!
I read about this technique but I was wondering…
By using the rsyslog technique, collected events will be seen from another agent name (not anymore wazuh). Right?
The only way to distinguish hosts will be via the “location” ?
/x
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/238ddf51-16f4-41b3-8607-758f7d5a8d84n%40googlegroups.com.
Olamilekan Abdullateef Ajani
Jan 6, 2025, 8:55:41 AM (8 days ago) Jan 6
to Wazuh | Mailing List
Hello,
Apologies for the late feedback. Yes, the only way to differentiate will be the location, and the location can be inserted to the log from the source if you utilize the syslog option.
Please see reference:
Reply all
Reply to author
Forward
0 new messages