Syslog configuratoin with wazuh
cyber_monkey
Newbie ✭
Hi all,
I'm trying to configure syslogs to send to my wazuh SIEM server. However I'm not having any luck. I've reached out to wazuh support for help on their end, but I think i need information on the format of syslogs in order to decode the input for wazuh's usage.
Does anyone know the format of the syslogs as they send over? Anyone know where I can look?
Category: Entry Level Firewalls
0
Best Answers
-
CORRECT ANSWERcyber_monkey
Newbie ✭
Turns out the logging level wasn't high enough. I changed it to warning instead of emergency. I am indeed receiving packets to my VM now. I just need to work on the other side to make sure it's handling them properly.
0 -
CORRECT ANSWERArkwright
Community Legend ✭✭✭✭✭
Bear in mind that every event type can be configured differently for frequency of logging.
0
Answers
@cyber_monkey there is a Reference Guide for the Events, but for me it wasn't very helpful, maybe you have better luck.
--Michael@BWC
syslog is not encrypted so you can determine the format PDQ with a packet capture.
So at the end of the day it ended up being a few things. My wazuh configuration was trying to use TCP when syslog uses UDP. Things are now showing up properly!
Hi @cyber_monkey
Did you use a custom message decoder or does it come built-in with the Wazuh server?
I'm using the built-in message decoder. I didn't realize there was one at first. I ended up deleting the decoder I had made.