Network Wizkid

, , ,

Configure Rsyslog for Logging to Wazuh

Published by

iwiizkiid

on

In this article, we will take a look at how to configure a Linux server with Rsyslog so that we can receive syslog events from network devices before sending them to Wazuh’s unified XDR and SIEM.

Prerequisites

  • Linux server
  • Wazuh
  • At least one network device

Note

In this example, an Ubuntu server is used as the syslog server and a Cisco CSR is used to send syslog messages to the server.

Configure Rsyslog

  • With sudo access to the Linux server, navigate to the Rsyslog configuration and modify the following fields under the modules:

Modify the following to remove the ‘#’ if you would like to enable log collection via UDP port 514.

#module(load="imudp")
#input(type="imudp" port="514")

Modify the following to remove the ‘#’ if you would like to enable log collection via TCP port 514

#module(load="imtcp")
#input(type="imtcp" port="514")

Note

You can choose to enable log collection for both TCP and UDP. You can also modify the port if necessary.

  • Specify the logging location. In this article, we used the following example:
if $fromhost-ip startswith 'REMOTE_DEVICE_IP' then /var/log/devicesyslog.log
& ~
  • Once complete, save and exit the configuration file

(Optional) Firewall Considerations

  • Modify your host firewall to lockdown communication to the server
  • Consider adding rules to any network firewall to allow syslog to flow to and from the server

Deploy the Wazuh Agent

  • With access to your Wazuh Dashboard, deploy a new agent onto your Linux server. Navigate to Agents > Deploy a New Agent and fill in the required details
  • Once deployed and enabled, we will modify the Wazuh agent configuration file to collect syslog messages from the server

Modify the Wazuh Agent Configuration File

  • Under the section ‘ossec_config’, add the configuration as shown below. Make sure that you replace ‘LOGLOCATION’ with the log path that you specified earlier
<localfile>
<log_format>syslog</log_format>
<location>/var/log/LOGLOCATION</location>
</localfile>
  • Save the configuration once done and restart Rsyslog and the Wazuh agent using the commands below:
systemctl restart rsyslog
systemctl restart wazuh-agent

Test the Functionality

With all the configuration in place on the server, you will now need to configure network devices to send syslog to the server. In this example we are using a Cisco CSR device. We configure logging to the Linux server and the logs are picked up and output on the Wazuh dashboard as shown in the screenshot below

Discover more from Network Wizkid

Subscribe to get the latest posts to your email.

Leave a Reply

Previous Post
Next Post

Discover more from Network Wizkid

Subscribe now to keep reading and get access to the full archive.

Continue reading

0
YOUR CART
  • No products in the cart.
Subtotal:
£0.00
CHECKOUT
BEST SELLING PRODUCTS
Network Wizkids CCIE Security v6.1 Lab Tracker
Network Wizkids CCIE Security v6.1 Lab Tracker
£2.99
Weekly, Monthly & Yearly Goals Tracker
Weekly, Monthly & Yearly Goals Tracker
£0.00
802.1X .PCAP Files
802.1X .PCAP Files
£0.00
Bulk Upload Users to Duo .CSV File
Bulk Upload Users to Duo .CSV File
£0.00
Yearly Goals - Network Wizkid Template
Yearly Goals - Network Wizkid Template
£0.00