syslog file in wazuh server

46 views
Skip to first unread message

rabbit

unread,
Sep 27, 2024, 12:16:08 AM9/27/24
to Wazuh | Mailing List
Hi Folks,

Can show me where should block config that I need to add, so that all syslog's  forwarded store and save in Wazuh Server? I would like to add mountpoint /store/syslog/"ipaddres-syslog-forward".log for all reported agent via syslog. 
Or the configuration need to adjust in rsyslog conf.

Thanks,
onyx

ismail....@wazuh.com

unread,
Sep 27, 2024, 6:40:30 AM9/27/24
to Wazuh | Mailing List
Hi,

Wazuh has the capability to monitor network devices (firewalls, routers, switches, etc). by collecting the logs through syslog and analyze them. We recommend you to setup a syslog server with rsyslog to collect the network device logs there and a Wazuh agent to forward those logs to the Wazuh Manager from the syslog server. Here you will find the steps to configure the syslog server with rsyslog and Wazuh agent to receive the logs from network devices, store them and forward them to Wazuh Manager: https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html#rsyslog-on-linux 

The Linux machine configuration involves the following steps:

Set Up Rsyslog on Linux Host:

  • Install Rsyslog (if not already installed):

sudo apt-get install rsyslog

Configure Rsyslog to Receive Logs:

  • Open the rsyslog configuration file:

sudo nano /etc/rsyslog.conf

  • For TCP (recommended), add these lines:

$ModLoad imtcp
$InputTCPServerRun 514

  • For UDP, add these lines:

$ModLoad imudp
$UDPServerRun 514

Configure Network Device to Send Logs to Rsyslog:

  • Ensure the network device is configured to send logs via Syslog to the IP address of your Linux host running rsyslog on port 514.

Configure Rsyslog to Forward Logs to a File:

  • In the /etc/rsyslog.conf file, add

if $fromhost-ip startswith 'REMOTE_DEVICE_IP' then /var/log/<file_name.log>
& ~

Replace REMOTE_DEVICE_IP with the IP or network of your network devices and <file_name.log> with your desired log file name.

Deploy Wazuh Agent on the Same Device:

  • Install Wazuh Agent: Follow the Wazuh installation guide for your Linux distribution to install the agent.

  • Configure Wazuh Agent to Read the Log File:

  • Edit the Wazuh agent configuration file:

sudo nano /var/ossec/etc/ossec.conf

  • Add the following within the <localfile> tag:

<localfile> <log_format>syslog</log_format> <location>/var/log/<file_name.log></location>
</localfile>

Replace <file_name.log> with the log file name you specified earlier.

Restart Services:

sudo systemctl restart rsyslog
sudo systemctl restart wazuh-agent

However,, if you want to configure the remote syslog at the Wazuh Manager and receive the logs directly there, you need to follow this guide to configure it before sending the logs to the Wazuh Manager: Wazuh documenation for reference.

The Wazuh server can collect logs via syslog from endpoints. Add the following configuration in between the <ossec_config> tags of the Wazuh server /var/ossec/etc/ossec.conf file to listen for syslog messages on TCP port 514.

<remote> <connection>syslog</connection> <port>514</port> <protocol>tcp</protocol> <allowed-ips>192.168.2.15/24</allowed-ips> <local_ip>192.168.2.10</local_ip> </remote>

Please refer to the wazuh documentations for more reference:

https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html

I hope this information helps you. Please feel free to reach out to us for any information/issues.

Regards,



Reply all
Reply to author
Forward
0 new messages