(Featured image above this line)
WordPress rendered form of this page here
https://bluewolfninja.com/slugtest/
Probably the majority of log messages fed into Wazuh SIEMs are collected and conveyed by Wazuh agents. However, there is a rich source of log messages that the Wazuh agent service cannot natively collect — syslog messages transmitted across the network. These most commonly arrive from devices such as routers, firewalls, access points, switches, and other network appliances on which Wazuh agent cannot be installed. Some computer applications and cloud services send them as well. An especially robust way to funnel these syslog network messages into your Wazuh SIEM is with one or more appropriately located Linux hosts configured to use rsyslog to locally receive the syslog messages and then Wazuh agent to securely and reliably forward them along to the Wazuh Server for analysis and storage.
Setting up Wazuh Syslog Relay Hosts (heading 2 BROWN)
Location (heading 3 BLUE)
(NORMAL TEXT GREEN) To protect privacy and minimize message loss, it is best to have a syslog relay host at each physical site where you have syslog sending devices, since in most cases those devices will be using the cleartext and unreliable UDP protocol for syslog message transport. You do not generally need a syslog relay host on every VLAN or subnet, but it is best to avoid pushing syslog messages across WAN links, VPN tunnels, or congested/lossy network paths. Make sure that any firewalls, routers, or layer 3 switches along the path between the syslog senders and the syslog relay hosts will permit the syslog messages to pass through.
Types of relay hosts and resource requirements
Memory and CPU requirements are quite low for syslog relay hosts. The main disk I/O will involve just appending syslog messages to a queue file. Disk storage needs to be large enough to accommodate the queue file as it grows until its next periodic deletion (usually daily). A small Linux virtual machine can serve this purpose quite well. A dedicated physical Linux host, even as small as a Raspberry Pi, should be able to handle relaying even a large volume of syslog messages. It may also be quite reasonable to add the syslog relay role to a Linux server also serving other purposes.
Local configuration of relay hosts
Linux firewall (HEADING 4)
If enabled, make sure that the Linux firewall (iptables, ufw, firewalld) on each syslog relay host is configured to allow incoming tcp and udp port 514 packets from on-site devices.
Rsyslog configuration
Uncomment these lines in /etc/rsyslog.conf to enable the udp and tcp port 514 network listeners:
Following is a one-cell table with 1pt border, grey background, and Courier New font, and, with some intentional indentation and separating blank lines. All the newlines had to be replaced with
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
LINE INDENTED ON PURPOSE and followed by one blank line on purpose
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
Following is a triple backticked line representing a single config line.
systemctl restart rsyslog
async function fetchData() {
try {
const response = await fetch('https://jsonplaceholder.typicode.com/todos/1');
const data = await response.json();
console.log('Fetched Data:', data);
} catch (error) {
console.error('Error fetching data:', error);
}
}
fetchData();
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
LINE INDENTED ON PURPOSE and followed by one blank line on purpose
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
Create the additional config file /etc/rsyslog.d/10-wazuh.conf :
(purple multi-line indented text below should become a single WordPress code block editable in WordPress with the blank line intact)
template(name="ForwardFormat" type="list") {
property(name="timegenerated" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
property(name="msg" spifno1stsp="on" )
property(name="msg")
constant(value="\n")
}
# Write network syslog records to disk and process them no further
if $inputname == "imudp" or $inputname == "imtcp" then /var/log/syslogtowazuh;ForwardFormat
& stop
Yellow highlighted line
| red | blue |
|---|---|
| green | purple |