New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ossec.conf file modifitaion <connection>syslog</connection> exit code error #14501
Comments
Hi @vijayabaskar000 , Welcome to the Wazuh community! could you tell me more about this issue? Do you have any problem sending syslogs messages to Wazuh? Regards |
Hi,
first of all thank you very much for your quick response
as per wazuh documents, to receive syslog message, we have to edit
ossec.conf file with <connection>syslog</connection>, but default on the
conf file is secure (instead of syslog).
when we change the file to syslog, wazuh-manager is giving error exit code.
since not able to change the conf file, we are not receiving syslog
messages to wazuh.
Regards,
vijay
…On Mon, Aug 8, 2022 at 3:20 AM Julian Morales ***@***.***> wrote:
Hi @vijayabaskar000 <https://github.com/vijayabaskar000> ,
Welcome to the Wazuh community! could you tell me more about this issue?
Do you have any problem sending syslogs messages to Wazuh?
Regards
—
Reply to this email directly, view it on GitHub
<#14501 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AV4G2OBJKXL3ZSTNFZDNEC3VYAVRNANCNFSM552IY36A>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Hi @vijayabaskar000, The The other block, the syslog block, is used to receive messages with the syslog protocol. For example, if you want to receive syslog messages on port 514, via tcp protocol from the 192.168.1.0/24 network, then you should add a configuration block to the ossec.conf file like the following: <remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.1.0/24</allowed-ips>
</remote> Please let me know if you found this helpful. |
Hi Julian Morales
thank you very much, now this issue is solved, have kept remote block of
secure and added another remote block of syslog. wazuh is stable.
still not receiving opnsense logs, let me check other documents and
diagnose the problem, if you have any links, please let me know
Regards,
vijay
…On Mon, Aug 8, 2022 at 7:26 PM Julian Morales ***@***.***> wrote:
Hi @vijayabaskar000 <https://github.com/vijayabaskar000>,
The remote block, specifies how the events arrive to the manager. There
are 2 types of remote
<https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html>
block, the secure and the syslog. The secure one indicates in which port
Wazuh-Manager must listen the encrypted connections with the agents, and it
is mandatory, you should not delete this block.
For example, if you want to receive syslog messages on port 514, via tcp
protocol from the 192.168.1.0/24 network, then you should add a
configuration block to the ossec.conf file like the following:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.1.0/24</allowed-ips>
</remote>
Please let me know if you found this helpful.
—
Reply to this email directly, view it on GitHub
<#14501 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AV4G2ODUX5RNWFCY73VNFODVYEGY3ANCNFSM552IY36A>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Glad to hear wazuh is running! I think the remote block documentation may be useful. But I would also like to offer you some tips on how to diagnose the problem. I think the first step is to verify that the wazuh has the proper port and protocol configured. For this you can use the nmap tool, which allows you to test if the port is open. Suppose you want to test that port 514/tcp is open. Then you can launch the following command (as root from the manager):
If the port is closed it should have an output like the following:
And If the port is open it should have an output like the following:
Then, if the port is open, you could do the same test from a remote host, preferably from your pfsense server or from a device on the same network, replacing the localhost by the ip of the manager. This way you can find out if an intermediate firewall is blocking the logs from reaching the manager. If you can see the open port from the remote host, then you can send logs. But keep in mind that not all logs will generate alerts, i.e. you will not see all logs in Kibana but only those that generate alerts.
If you force the generation of logs, this will help you to know if they are arriving. Note that the logall_json configuration should be temporary and enabled for testing purposes only, as storing all logs received from all agents can be a waste of memory. Please let me know if you found this helpful. |
Description
Tasks
The text was updated successfully, but these errors were encountered: