ossec.conf file modifitaion <connection>syslog</connection> exit code error

[vijayabaskar000]

Affected integration with opnsense
syslog message receiving from OPNSENSE..

Description

Tasks

• Test in a manager.
• Test in an agent.
• Unit tests without failures. Updated if there are any relevant changes.
• Integration tests without failures. Updated if there are any relevant changes.
• Update the documentation if necessary.
• Add entry to the changelog if necessary.

[juliancnn]

Hi @vijayabaskar000 ,

Welcome to the Wazuh community! could you tell me more about this issue? Do you have any problem sending syslogs messages to Wazuh?

Regards

[vijayabaskar000]

Hi, first of all thank you very much for your quick response as per wazuh documents, to receive syslog message, we have to edit ossec.conf file with <connection>syslog</connection>, but default on the conf file is secure (instead of syslog). when we change the file to syslog, wazuh-manager is giving error exit code. since not able to change the conf file, we are not receiving syslog messages to wazuh. Regards, vijay

…

On Mon, Aug 8, 2022 at 3:20 AM Julian Morales ***@***.***> wrote: Hi @vijayabaskar000 <https://github.com/vijayabaskar000> , Welcome to the Wazuh community! could you tell me more about this issue? Do you have any problem sending syslogs messages to Wazuh? Regards — Reply to this email directly, view it on GitHub <#14501 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AV4G2OBJKXL3ZSTNFZDNEC3VYAVRNANCNFSM552IY36A> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[juliancnn]

Hi @vijayabaskar000,

The remote block, specifies how the events arrive to the manager. There are 2 types of remote block, the secure and the syslog. The secure one indicates in which port Wazuh-Manager must listen the encrypted connections with the agents, and it is mandatory, you should not delete this block.

The other block, the syslog block, is used to receive messages with the syslog protocol. For example, if you want to receive syslog messages on port 514, via tcp protocol from the 192.168.1.0/24 network, then you should add a configuration block to the ossec.conf file like the following:

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>tcp</protocol>
  <allowed-ips>192.168.1.0/24</allowed-ips>
</remote>

Please let me know if you found this helpful.

[vijayabaskar000]

Hi Julian Morales thank you very much, now this issue is solved, have kept remote block of secure and added another remote block of syslog. wazuh is stable. still not receiving opnsense logs, let me check other documents and diagnose the problem, if you have any links, please let me know Regards, vijay

…

On Mon, Aug 8, 2022 at 7:26 PM Julian Morales ***@***.***> wrote: Hi @vijayabaskar000 <https://github.com/vijayabaskar000>, The remote block, specifies how the events arrive to the manager. There are 2 types of remote <https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html> block, the secure and the syslog. The secure one indicates in which port Wazuh-Manager must listen the encrypted connections with the agents, and it is mandatory, you should not delete this block. For example, if you want to receive syslog messages on port 514, via tcp protocol from the 192.168.1.0/24 network, then you should add a configuration block to the ossec.conf file like the following: <remote> <connection>syslog</connection> <port>514</port> <protocol>tcp</protocol> <allowed-ips>192.168.1.0/24</allowed-ips> </remote> Please let me know if you found this helpful. — Reply to this email directly, view it on GitHub <#14501 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AV4G2ODUX5RNWFCY73VNFODVYEGY3ANCNFSM552IY36A> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[juliancnn]

Glad to hear wazuh is running!

I think the remote block documentation may be useful. But I would also like to offer you some tips on how to diagnose the problem.

I think the first step is to verify that the wazuh has the proper port and protocol configured. For this you can use the nmap tool, which allows you to test if the port is open. Suppose you want to test that port 514/tcp is open. Then you can launch the following command (as root from the manager):

# nmap localhost -p 514

If the port is closed it should have an output like the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-09 14:04 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000053s latency).

PORT    STATE  SERVICE
514/tcp closed shell

And If the port is open it should have an output like the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-09 14:04 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000053s latency).

PORT    STATE  SERVICE
514/tcp open shell

Then, if the port is open, you could do the same test from a remote host, preferably from your pfsense server or from a device on the same network, replacing the localhost by the ip of the manager. This way you can find out if an intermediate firewall is blocking the logs from reaching the manager.

If you can see the open port from the remote host, then you can send logs. But keep in mind that not all logs will generate alerts, i.e. you will not see all logs in Kibana but only those that generate alerts.
You could activate <logall_json> (changing no with yes) in the ossec.conf in the manager (must restart the service to apply changes) to see in archives every log reaching the manager and also what it is doing with each log.
Once you have activated logall_json you can see new logs arriving (in real time) at the manager with tail command:

tail -f /var/ossec/logs/archives/archives.json

If you force the generation of logs, this will help you to know if they are arriving. Note that the logall_json configuration should be temporary and enabled for testing purposes only, as storing all logs received from all agents can be a waste of memory.

Please let me know if you found this helpful.