If you want to know how to configure a Rsyslog client to send event messages to the Wazuh manager step by step, this post is for you! Wazuh is able to send and receive messages via Syslog. Syslog allows machines where the Wazuh agent cannot be installed to report events.

Configure Wazuh manager to receive Syslog messages

First of all, you will include this block in the local configuration:

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>10.0.0.0/24</allowed-ips>
  <local_ip>10.0.0.1</local_ip>
</remote>

Usually, Syslog messages are sent to port 514 via UDP. It can be modified, but please remember that it has to match the configuration of the Rsyslog client.

The tag local_ip indicates the manager IP. If the IP is IPv6, the configuration must contain the tag ipv6 instead of local_ip. It can’t contain both.

This configuration allows Wazuh to receive messages in Syslog format from any IP belonging to the 10.0.0.0/24 network. You can also use the tag denied-ips. It prevents a list of IPs from sending messages to the manager.

Read more about remote configuration here.

Configure Rsyslog

Most Linux distributions come with the Rsyslog package pre-installed. If it is not installed, you can use the Linux package manager to install it.

CentOS:


sudo yum install rsyslog

Debian and Ubuntu:


sudo apt-get install rsyslog

The Rsyslog configuration file is located at /etc/rsyslog.conf. This file indicates to which server the messages will be sent.  To do this, you must add the following line indicating that all messages should be sent to IP 10.0.0.1 (the manager IP) and port 514 via UDP:


*.* @10.0.0.1:514

Add the following configuration to send a message via TCP:


*.* @@10.0.0.1:514

The configuration files found in /etc/rsyslog.d determine which messages will be sent. If you want to forward a specific log file, you can create a configuration file in this folder. This file must have the extension .conf

Now add the following configuration to this file:


$ModLoad imfile
$InputFileName /var/log/program_file.log
$InputFileTag my_program
$InputFileStateFile program_file
$InputFileSeverity info
$InputRunFileMonitor

Finally, restart Rsyslog to apply changes.


systemctl restart rsyslog

In this example, the Owncloud  app logs the event below:



{"app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:16:29+00:00","@source":"ownCloud"}

Then, Wazuh receives this message from Rsyslog:


Jun 14 08:02:04 vm-ubuntu18 owncloud <b data-stringify-type="bold">{</b>"app":"core","message":"Login failed: 'admin' (Remote IP: '127.0.0.1', X-Forwarded-For: '')","level":2,"time":"2015-06-09T08:16:29+00:00","@source":"ownCloud"}

At this point, the following alert is generated:

{
  "timestamp": "2019-07-04T17:25:52.215+0000",
  "rule": {
    "level": 6,
    "description": "ownCloud authentication failed.",
    "id": "87301",
    "firedtimes": 1,
    "mail": false,
    "groups": [
      "owncloud",
      "authentication_failed"
    ],
    "pci_dss": [
      "10.2.4",
      "10.2.5"
    ],
    "gdpr": [
      "IV_35.7.d",
      "IV_32.2"
    ]
  },
  "agent": {
    "id": "000",
    "name": "manager-centos7"
  },
  "manager": {
    "name": "manager-centos7"
  },
  "id": "1562261152.28123",
  "decoder": {
    "name": "json"
  },
  "data": {
    "app": "core",
    "message": "Login failed: admin (Remote IP: 127.0.0.1, X-Forwarded-For: )",
    "level": "2",
    "time": "2015-06-09T08:16:29+00:00",
    "@source": "ownCloud"
  }
}

If you have any questions about this, don’t hesitate to check out our documentation to learn more about Wazuh or join our community where our team and contributors will help you.