Wazuh is able to send and receive messages via Syslog. Syslog allows machines where the Wazuh agent cannot be installed to report events. This post describes the steps to configure an Rsyslog client to send event messages to the Wazuh manager.

Configure Wazuh

To configure the Wazuh manager to receive Syslog messages, this block must be included in the local configuration:

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>10.0.0.0/24</allowed-ips>
  <local_ip>10.0.0.1</local_ip>
</remote>

Usually, Syslog messages are sent to port 514 via UDP. It can be modified, but please remember that it has to match the configuration of the Rsyslog client.

The tag local_ip indicates the manager IP. If the IP is IPv6, the configuration must contain the tag ipv6 instead of local_ip. It can’t contain both.

This configuration allows Wazuh to receive messages in Syslog format from any IP belonging to the 10.0.0.0/24 network. You can also use the tag denied-ips. It prevents a list of IPs from sending messages to the manager.

You can read more about remote configuration in our documentation.

Configure Rsyslog

Most Linux distributions come with the Rsyslog package pre-installed. If it is not installed, you can use the Linux package manager to install it.

CentOS:


sudo yum install rsyslog

Debian and Ubuntu:


sudo apt-get install rsyslog

The Rsyslog configuration file is located at /etc/rsyslog.conf. This file indicates to which server the messages will be sent.  To do this, you must add the following line indicating that all messages should be sent to IP 10.0.0.1 (the manager IP) and port 514 via UDP:


*.* @10.0.0.1:514

To send a message via TCP, you must add the following configuration:


*.* @@10.0.0.1:514

The configuration files found in /etc/rsyslog.d determine which messages will be sent. If you want to forward a specific log file, you can create a configuration file in this folder. This file must have the extension .conf
The following configuration is added to this file:


$ModLoad imfile
$InputFileName /var/log/program_file.log
$InputFileTag my_program
$InputFileStateFile program_file
$InputFileSeverity info
$InputRunFileMonitor

Finally, restart Rsyslog to apply changes.


systemctl restart rsyslog

The following is an example. Owncloud app logs the event below:



{"app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:16:29+00:00","@source":"ownCloud"}

Wazuh receives this other message from Rsyslog:


Jun 14 08:02:04 vm-ubuntu18 owncloud "app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:16:29+00:00","@source":"ownCloud"}

The following alert is generated.

{
  "timestamp": "2019-07-04T17:25:52.215+0000",
  "rule": {
    "level": 6,
    "description": "ownCloud authentication failed.",
    "id": "87301",
    "firedtimes": 1,
    "mail": false,
    "groups": [
      "owncloud",
      "authentication_failed"
    ],
    "pci_dss": [
      "10.2.4",
      "10.2.5"
    ],
    "gdpr": [
      "IV_35.7.d",
      "IV_32.2"
    ]
  },
  "agent": {
    "id": "000",
    "name": "manager-centos7"
  },
  "manager": {
    "name": "manager-centos7"
  },
  "id": "1562261152.28123",
  "decoder": {
    "name": "json"
  },
  "data": {
    "app": "core",
    "message": "Login failed: admin (Remote IP: 127.0.0.1, X-Forwarded-For: )",
    "level": "2",
    "time": "2015-06-09T08:16:29+00:00",
    "@source": "ownCloud"
  }
}