How do I configure Filebeat or Wazuh-Dashboard to import syslog.log from swich Xtreem ?

[Adam Nowak]

How do I configure Filebeat or "Wazuh-Dashboard/Index-Managment/Indices/Create-Index" to read the syslog file from the Xtreem X440-G2 switch save in "file 20_1.log"      and send it to Wazuh-Indexer 4.8.1 (based on OpenSearch)? 

File "20_1.log" i stored in  Wazuh Manager (Server-2, IP 192.168.131.201) in  file directory   "/var/log/172.16.20.1/20_1.log".

My Wazuh instalation is "1-Node instalation" with structure Wazuh Indexer (Server-1, IP 192.168.131.200) Wazuh Manager (Server-2, IP 192.168.131.201), Wazuh Dashboard (Server-2, IP 192.168.131.201). Servers Operating Systems are Ubuntu 24.04 LTS Serwer.https://groups.google.com/g/wazuh/c/tOHFILyvpHc 

[Gerardo David Caceres Fleitas]

Hello Adam,

If you want the Wazuh agent to collect logs from a specific log file, you should use the local file parameter: Wazuh Documentation - Local File.

However, if you prefer to receive network device events directly via Syslog, the following approaches might be helpful:

1. Using an agent with Logstash/rsyslog as a forwarder (recommended approach):

   • Monitoring Network Devices
   • Wazuh Documentation - Syslog
     
     
     

2. Enabling the Syslog listener feature in the Wazuh manager:

   • Wazuh Documentation - Syslog

Please note that security rules are required to process these events. Some devices, such as Fortigate, SonicWall, and Cisco, are supported by default. You might need to create or import new decoders/rules for other devices.

The complete ruleset is in our official GitHub repository: Wazuh Ruleset - GitHub.

I hope this helps.

Best regards,
Gerardo Caceres Fleitas.

[Adam Nowak]

I made the installation correctly from the website, 

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html

but I can't find in the Wazuh-Dashboard the logs that are geitable in Rsyslog by 4 switches.

Logs are saved in files: 20_1.log, 22_1.log, 24_1.log, 24_5.log. 

In which tab of the Wazuh-dasboard should be visible ?

[Gerardo David Caceres Fleitas]

Hello Adam, 

The Wazuh Dashboard shows security alerts level 3 and above by default. So, if the source you want to monitor is not supported by default, you should create or import new decoders and rules.

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://github.com/wazuh/wazuh/tree/master/ruleset/rules


On the other hand, if you want to keep and visualize the raw data, you must set up the archives configuration, but please remember that it will use additional storage space.
https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#archiving-event-logs



Best regards.

[Adam Nowak]

How to configure WAZUH-AGENT on Ubuntu 24_04 server (ip 192.168.131.201) to act as LOG-FORWARDER for the second WAZUH-MANAGER server (192.168.131.202) ?

[Gerardo David Caceres Fleitas]

Hi Adam, 

These are the guides you must follow. Did you face any issues with it?
https://wazuh.com/blog/monitoring-network-devices/
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html

After configuring it and verifying that rsyslog is saving the logs from your network device, consider temporarily enabling archives in the manager and take a look at the directory /var/ossec/logs/archives/archives.json to check out that the manager is receiving these events; consider then send me a sample log so I can assist you with a simple decoder/rule that can help you start.

Regards,

Gerard Caceres Fleitas.

[Adam Nowak]

I will send a sample archives.json and archives.log from my home-lab on Sunday night ? I wish you an interesting and successful weekend :-)

[Adam Nowak]

As we agreed after a long weekend, I am sending the logs of my home lab. Files 1_2.log and 1_3.log contain logs generated by GateWay Airlive RS-2000. File 1_*.log is saved on the Ubuntu 24_4 server by the RSYSLOG application and should additionally be imported to Wazuh-Manager with the possibility of viewing in Wazuh-Dasboard?

My Wazuh-Manger is in ver. 4.9. IP address of Ubuntu server is 192.168.1.10 and IP address of GateWay Airlive RS-2000 is 192.168.1.1.

[Gerardo David Caceres Fleitas]

Hello Adam, 

I tested the provided log and saw that it matches an original Wazuh decoder. To avoid this, we could use an extra parameter in the <localfile> configuration on the agent. The parameter I'm talking about is OUT_FORMAT. It allows us to break the original log structure before forwarding it to the manager. In this case, I've added the text  'OUT-FORMAT:' before the log starts.

<localfile> with out-format:
-------------------------------------------------------------------------------------

<localfile>

    <log_format>syslog</log_format>

    <location>/home/admin/Documents/test.log</location>

<out_format>OUT-FORMAT: $(log)</out_format>

  </localfile>
-------------------------------------------------------------------------------------

Result with the original log:



The result after out-format and adding new decoders/rules:






Below is a base of decoders and rules that can help you as a starting point.

-------------------------------------------------------------------------------------
Decoder:
<!-- sample log
OUT-FORMAT: Sep  1 16:13:14 _gateway kernel: '240704192717 ACCEPT LOG ' SRC=18.244.102.124 DST=192.168.1.10 PROTO=TCP SPT=443 DPT=44876 LEN=1448 WAN=1 DIR=in MARK=101b16686f795 (Sun Sep  1 14:13:25 2024)

OUT-FORMAT: Sep  1 16:13:14 _gateway kernel: '240704192717 ACCEPT LOG ' SRC=192.168.1.10 DST=18.244.102.124 PROTO=TCP SPT=44876 DPT=443 LEN=52 WAN=1 DIR=out MARK=101b16686f795 (Sun Sep  1 14:13:25 2024)
-->
<decoder name="airlive-rs-2000-parent">
   <prematch>^OUT-FORMAT:</prematch>
  </decoder>


<decoder name="airlive-rs-2000-child">
  <parent>airlive-rs-2000-parent</parent>
  <regex> SRC\p(\d+.\d+.\d+.\d+) DST\p(\d+.\d+.\d+.\d+) PROTO\p(\w+) SPT</regex>
   <order>src.ip, dst.ip, protocol</order>
</decoder>



-------------------------------------------------------------------------------------


Rules:
<!-- sample log
OUT-FORMAT: Sep  1 16:13:14 _gateway kernel: '240704192717 ACCEPT LOG ' SRC=192.168.1.10 DST=18.244.102.124 PROTO=TCP SPT=44876 DPT=443 LEN=52 WAN=1 DIR=out MARK=101b16686f795 (Sun Sep  1 14:13:25 2024)


OUT-FORMAT: Sep  1 16:13:14 _gateway kernel: '240704192717 ACCEPT LOG ' SRC=18.244.102.124 DST=192.168.1.10 PROTO=TCP SPT=443 DPT=44876 LEN=1448 WAN=1 DIR=in MARK=101b16686f795 (Sun Sep  1 14:13:25 2024)
-->

<group name="airlive-rs-2000,">
    <rule id="123327" level="0">
        <decoded_as>airlive-rs-2000-parent</decoded_as>
        <description>Event from airlive-rs-2000X</description>
    </rule>
   
<rule id="123330" level="4">    
    <if_sid>123327</if_sid>    
    <field name="dst.ip">18.244.102.124</field>
    <description>This is an example of a Security Alert, the source ip is $(dst.ip)</description>
</rule>

</group>

-------------------------------------------------------------------------------------

Best regards.!