Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote Syslog configuration #345

Open
Beeez opened this issue Apr 21, 2023 · 3 comments
Open

Remote Syslog configuration #345

Beeez opened this issue Apr 21, 2023 · 3 comments

Comments

@Beeez
Copy link

Beeez commented Apr 21, 2023

Hi,

Are there any recommendations for configuring remote syslog for the wazuh-manager-workers? I have this added to my config:

  <remote>
    <connection>syslog</connection>
    <port>514</port>
    <protocol>udp</protocol>
    <allowed-ips>10.0.0.0/8</allowed-ips>
  </remote>

Does rsyslog need to be installed on the wazuh-managers in order for this to work? The documentation doesn't quite make this clear.

Does this mean I will need to build a custom wazuh-manager docker image with rsyslog included? If so I feel like this should be part of the default image.
@Wolvverine
Copy link

Wolvverine commented Nov 7, 2023
edited

I have problem also.

App version: 4.5.3
App revision: 02

In docker stack for wazuh-manager:

    ports:
      - "2514:2514/tcp"
      - "2514:2514/udp"
      - "1514:1514"
      - "1515:1515"
      - "55000:55000"

I have in ossec.conf :

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp,udp</protocol>
    <queue_size>131072</queue_size>
    <allowed-ips>0.0.0.0/0</allowed-ips>
  </remote>
  <remote>
     <connection>syslog</connection>
     <port>2514</port>
     <protocol>tcp</protocol>
     <allowed-ips>0.0.0.0/0</allowed-ips>
  </remote>
  <remote>
     <connection>syslog</connection>
     <port>2514</port>
     <protocol>udp</protocol>
     <allowed-ips>0.0.0.0/0</allowed-ips>
  </remote>

tcpdump running on the host and in the container indicates that logs from fortigate and other devices are being sent and arriving.

image

netstat on host show:

# netstat -tulnp | grep 514
tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      316202/docker-proxy
tcp        0      0 0.0.0.0:2514            0.0.0.0:*               LISTEN      316137/docker-proxy
tcp6       0      0 :::1514                 :::*                    LISTEN      316211/docker-proxy
tcp6       0      0 :::2514                 :::*                    LISTEN      316144/docker-proxy
udp        0      0 0.0.0.0:2514            0.0.0.0:*                           316159/docker-proxy
udp6       0      0 :::2514                 :::*                                316166/docker-proxy

in container:

root@wazuh:/#  netstat -tulnp | grep 514
tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:2514            0.0.0.0:*               LISTEN      -
udp        0      0 0.0.0.0:1514            0.0.0.0:*                           -
udp        0      0 0.0.0.0:2514            0.0.0.0:*                           -

However, after enabling the option:

    <logall>yes</logall>
    <logall_json>yes</logall_json>

Unfortunately, in the log files
cat /var/ossec/logs/archives/archives.log
cat /var/ossec/logs/archives/archives.json
There are no entries from syslog.
Of the agents on the servers are.

In fortigate config for syslog:

# config log syslogd setting
(setting) # show full-configuration 
config log syslogd setting
    set status enable
    set server "xxx.xxx.xxx.xxx"
    set mode reliable
    set port 2514
    set facility local7
    set source-ip "yyy.yyy.yyy.yyy"
    set format default
    set priority default
    set max-log-rate 0
    set enc-algorithm disable
    set interface-select-method auto
end

In logs:

Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: '0.0.0.0/0'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: 'xxx.xxx.xxx.xxx'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: '0.0.0.0/0'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: '0.0.0.0/0'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Started (pid: 10832). Listening on port 1514/TCP,UDP (secure).
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Started (pid: 10833). Listening on port 2514/TCP (syslog).
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: '0.0.0.0/0'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: 'xxx.xxx.xxx.xxx'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: '0.0.0.0/0'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Remote syslog allowed from: '0.0.0.0/0'
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  Started (pid: 10834). Listening on port 2514/UDP (syslog).
Nov 8, 2023 @ 17:03:33.000 wazuh-remoted INFO  (1410): Reading authentication keys file.

Test from another host in network:

# nc -zv wazuh.local 2514
wazuh.local [xxx.xxxx.xxx.xxx] 2514 (?) open

@Wolvverine
Copy link

After update to 4.6.0 in logs:
cat /var/ossec/logs/archives/archives.log
cat /var/ossec/logs/archives/archives.json
I have entries from udp remote syslog on 2514 .

@kahramanakyil
Copy link

After enabling syslog at ossec.conf, only tcp is working however udp is not working on k8s.

secure 1514 tcp,udp 131072 0.0.0.0/0 syslog 514 tcp 0.0.0.0/0 syslog 514 udp 0.0.0.0/0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Wolvverine @kahramanakyil @Beeez