Syslog configuratoin with wazuh

cyber_monkey · February 29

Hi all,

I'm trying to configure syslogs to send to my wazuh SIEM server. However I'm not having any luck. I've reached out to wazuh support for help on their end, but I think i need information on the format of syslogs in order to decode the input for wazuh's usage.

Does anyone know the format of the syslogs as they send over? Anyone know where I can look?

cyber_monkey · March 1

Turns out the logging level wasn't high enough. I changed it to warning instead of emergency. I am indeed receiving packets to my VM now. I just need to work on the other side to make sure it's handling them properly.

Arkwright · March 4

Bear in mind that every event type can be configured differently for frequency of logging.

BWC · February 29

@cyber_monkey there is a Reference Guide for the Events, but for me it wasn't very helpful, maybe you have better luck.

https://www.sonicwall.com/techdocs/pdf/SonicOS-X_7.0.1_LogEvents_ReferenceGuide.pdf

--Michael@BWC

Arkwright · March 1

syslog is not encrypted so you can determine the format PDQ with a packet capture.

cyber_monkey · March 4

So at the end of the day it ended up being a few things. My wazuh configuration was trying to use TCP when syslog uses UDP. Things are now showing up properly!

MustafaA · March 4

Hi @cyber_monkey

Did you use a custom message decoder or does it come built-in with the Wazuh server?

cyber_monkey · March 4

https://community.sonicwall.com/technology-and-support/discussion/comment/20686#Comment_20686

I'm using the built-in message decoder. I didn't realize there was one at first. I ended up deleting the decoder I had made.

Join the Conversation

Syslog configuratoin with wazuh

Best Answers

Answers