Recently I’ve been working with Wazuh to forward syslog from network devices using Rsyslog. Usually, I would send syslog to a dedicated SIEM but I wanted to test the out-of-the-box functionality of the Wazuh’s open-source XDR and SIEM.
Upon configuring a network device with syslog and viewing those logs on the Wazuh dashboard, I much prefer using other SIEM solutions to view syslog messages and let me tell show you why.
- Syslog messages received by Wazuh are not that clean and easy to search. Here is an example of the syslog message received from a network device.
- Here is a similar syslog message received by Graylog. The output is much clearer.
- Another thing that I came to realise was that Wazuh would not receive certain syslog messages depending on how Rsyslog received the messages. For example, when I configured a Cisco device with an Orgin-ID as shown by the source in the Graylog log, Wazuh wouldn’t output these logs. It’s worth mentioning that I didn’t play around too much with the configuration of the Wazuh agent so this might be a possibility.
Leave a Reply