Forward syslog events

Wazuh agents can run on a wide range of operating systems, but when it is not possible due to software incompatibilities or business restrictions, you can forward syslog events to your environment. This is a common use case for network devices such as routers or firewalls.

Since every communication with your environment is performed through the Wazuh agent, you must configure the agent to forward the syslog events. To do so, you have these options:

Rsyslog on Linux

Use rsyslog on a Linux endpoint with a Wazuh agent to log to a file and send those logs to the environment.

  1. Configure rsyslog to receive syslog events and enable the TCP or UDP settings by editing the /etc/rsyslog.conf file.

    • For TCP:

      $ModLoad imtcp
      $InputTCPServerRun <PORT>
      
    • For UDP:

      $ModLoad imudp
      $UDPServerRun <PORT>
      

    Make sure to review your firewall/SELinux configuration to allow this communication.

  2. Configure rsyslog to forward events to a file by editing the /etc/rsyslog.conf file.

    # Storing Messages from a Remote System into a specific File
    if $fromhost-ip startswith 'REMOTE_DEVICE_IP' then /var/log/<FILE_NAME.log>
    & ~
    

    To perform the following steps, make sure to replace <FILE_NAME.log> with the name chosen for this log.

  3. Deploy a Wazuh agent on the same endpoint with rsyslog installed.

  4. Configure the agent to read the syslog output file by editing the /var/ossec/etc/ossec.conf file.

    <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/<FILE_NAME.log></location>
    </localfile>
    
  5. Run the commands below to restart rsyslog and the Wazuh agent:

    # systemctl restart rsyslog
    # systemctl restart wazuh-agent
    

Logstash on Windows

Use Logstash on a Windows endpoint with a Wazuh agent to receive syslog, log to a file, and send those logs to the environment.

  1. Install Logstash.

    1. Download the Logstash ZIP package.

    2. Extract the ZIP contents into a local folder, for example, to C:\logstash\.

  2. Configure Logstash.

    Create the following file: C:\logstash\config\logstash.conf

    input {
       syslog {
          port => <PORT>
       }
    }
    
    output {
       file {
          path => "C:\logstash\logs\<FILE_NAME.log>"
          codec => "line"
       }
    }
    

    Ensure to replace <FILE_NAME.log> with the name chosen for this log.

  3. Deploy a Wazuh agent on the same endpoint that has Logstash.

  4. Configure the Wazuh agent to read the Logstash output file by adding the following configuration to the C:\Program Files (x86)\ossec-agent\ossec.conf file:

    <ossec_config>
    <localfile>
       <log_format>syslog</log_format>
       <location>C:\logstash\logs\<FILE_NAME.log></location>
    </localfile>
    </ossec_config>
    
  5. Restart Logstash.

    1. Run Logstash from the command line:

      C:\logstash\bin\logstash.bat -f C:\logstash\config\logstash.conf
      
    2. Install Logstash as a Windows Service either using NSSM or Windows Task Scheduler.

  6. Restart the Wazuh agent. If you are running PowerShell, use the following command:

    Restart-Service Wazuh