Syslog and Wazuh - Let's Build A Host Intrusion Detection System

Рет қаралды 47,056

Күн бұрын

Join me as we configure your Wazuh Manager to receive Syslog output. Receive your Firewall logs! Let's deploy a Host Intrusion Detection System and SIEM with free open source tools. Join me as we explore and learn together.
Check us out: www.opensecure...
Interact with our demo: www.opensecure...
Hire us: www.opensecure...

Пікірлер: 56

@lamarlewis7638 2 жыл бұрын

Great work on the video. Thank you for saving me some time! 😊

@TheMeshal20 2 жыл бұрын

Thank so mush , can you make a video to integrate pfsnes firewall and Email server

@MrBitviper 3 жыл бұрын

thanks for the concise and clear video much appreciated

@AnthonyElabed 6 ай бұрын

Amazing video, thank you so much, you are a life saver for a project I'm working!! For linux users remember that the logs on your client are stored in /var/log/syslog

@iDjDepp 2 жыл бұрын

Great video, really helped set up the transmission. You mentioned transferring data from network devices such as Cisco. Maybe there are ready-made dashboard templates and how to process this data?

@chinatu10 Жыл бұрын

Great video, but do you have a video that integrates with edr solutions

@kamarul-p7f 8 ай бұрын

Hope for next video, fortigate sync with wazuh

@brunobustos1368 10 ай бұрын

como estas muy buen video , pero quiero saber como puedo integrar un waf imperva con wazuh por medio syslog , para que los eventos se vean en el dashboard.

@lucasblanchard5885 Ай бұрын

Ty, but now did I need to creat rules or decoder in wazuh ?

@chadmarkley 2 жыл бұрын

Great video!! I used your Docker video to get the Wazuh cluster setup and running. Works great. Question. Under Settings and Configuration, i don't seem to have the "edit configuration" option. Any idea how i can get that to show up? Having that would be SO MUCH EASIER than trying to do it from inside the docker container using VI! Thanks

@chadmarkley 2 жыл бұрын

NM, found it!

@arifbudiman7754 2 жыл бұрын

Great Video Man, thanks for the insight 😊

@taylorwalton_socfortress 2 жыл бұрын

Thanks for watching :)

@jg1000c 3 ай бұрын

works the same with docker wazuh?

@rakeshbaboeram1808 Жыл бұрын

Hi Taylor. Thanks for a great video. I've been able to setup syslog on a firewall and linux machine. I see the syslog packets hitting the Wazuh Manager. unfortunately, I don't see any alerts in the "discover". Any ideas what I'm doing wrong?

@seyladamarisgomez7488 Жыл бұрын

Hi Rakesh! Did you continue with this problem? Regards.

@rakeshbaboeram1808 Жыл бұрын

@@seyladamarisgomez7488 unfortunately not

@ryanhall5059 Жыл бұрын

I'm on a fresh install and having this issue also. I have pulled wireshark and have confirmed syslog is being sent to the server. Just nothing shows up.

@muharaveen46 Жыл бұрын

Hi! I'm having the issue "Kibana service is not ready yet" . Am I doing something wrong?

@syedomairmasood6785 Жыл бұрын

can you paste all the commands that are in your notepad?

@fahmi8999 10 ай бұрын

Do you have videos that share how to develop Wazuh SIEM dashboard?

@kamarul-p7f 8 ай бұрын

its easy you can follow documentation

@huseyinozer2737 Жыл бұрын

Hello first of all thanks for video, Syslogs from Synology do not appear on wazuh. When I listen to port 514, I see messages coming, but the messages do not appear in the discover section. It was written in some forums that it could not be solved because it came in rfc3164 message format. When I write the log to the test decoder section, I get the error "decoder not found". Any idea?

@tamaskiss6379 8 ай бұрын

Hi, i have this problem too. Did you find any solution?

@numanmaavia8575 3 жыл бұрын

Hey open Secure, make a video how to integrate Azure Activity log onto wazuh. Thanks

@taylorwalton_socfortress 3 жыл бұрын

Hey Numan, good idea, I will look to make that possible! Thanks for watching

@streetechco123 Жыл бұрын

dear taylor, what happen if the server its full with the logs, how do you delete the logs that are into the wazuh server?

@JeDeXxRioProKing 3 жыл бұрын

Great Content , Thanks for video

@taylorwalton_socfortress 3 жыл бұрын

Hey Sefraoui, thanks for watching!

@Samran_Shahzad 8 ай бұрын

Hi, anyone tell me that how can I confirm that my linux rsyslog is coming in wazuh dashboard how to check that?? How to configure rsyslog of kali linux without adding as an agent??

@safwanshahjehan7434 3 жыл бұрын

hey, great video! do you have any tutorials on viewing apache logs on Wazuh?

@taylorwalton_socfortress 3 жыл бұрын

Hey Safwan, I have not done a video regarding apache specifically, but the process should be the same. If you have a wazuh-agent running on your apache server, configure this block in the ossec.conf syslog /path/to/apache.log There are already decoders built for apache logs so you should start to see results after you restart the wazuh agent. Hope that helps and thanks for watching!

@jasonmichel1946 3 жыл бұрын

Can you add multiple address ranges for allowed ips in the same block or do you have to create a new block for each entry for syslog?

@taylorwalton_socfortress 3 жыл бұрын

Hey Jason, you will need to add a new 192.168.2.0/24 block that details the new CIDR range. Thanks for watching!

@arunr039 3 жыл бұрын

Great video. i have a question how to get application logs (api/http)in wazuh and how do i visualize in kibana thanks in advance

@taylorwalton_socfortress 3 жыл бұрын

Hey Arun you will need to enable the logs to be forwarded to the Wazuh manger. We did something similar with nginx logs here: kzbin.info/www/bejne/n3mpi2CHebmLbNE Let me know if you have other questions and thanks for watching!

@DannyDi84 Жыл бұрын

As far as I know, syslogs are sent in plain text, so I guess it wouldn't be recommended to use this method when the Wazuh Server is on a hosted VM in another Network. Is there a solution to this?

@oliveiras.de.emerson 2 жыл бұрын

I love you guy

@SagarBorkute-i5x Жыл бұрын

I am unable to use the public ip addresses. Like my syslog server is located on different AWS server and wazuh manager is located on different location. So how do I connect these with the public ip address. I am unable to use the public address in wazuh conf file.

@zedtrek 8 ай бұрын

Not sure would be a good idea to expose that kind of traffic anyway. I would use a VPN..

@TheT8T 2 жыл бұрын

I am missing something... I have configured my Fortigate to forward logs to the Wazuh Manager. I see them in the Archives.json and the Archives.log. I do not see them in the dashboard of Wazuh. Following another tutorial that has since been taken down from YT, it has 2 Decoder files installed. What am I missing?

@taylorwalton_socfortress 2 жыл бұрын

Hey Chris, if it is writing to the archives.json then that is telling me Wazuh is receiving the logs, so that's good. What it is probably lacking is a decoder and rule to match on the ingested logs. Only logs that are matched are written to the alerts.json file and allows you to view them in kibana. A good way to test is copy the log entry within the archives.json and run the /var/ossev/bin/ossec-logtest , paste in the copied log entry, and see what Wazuh outputs. From there you can start to build decoders and rules to match. Hope this helps!

@ryoka1g 2 жыл бұрын

any idea on how to integrate fortinet logs to wazuh??

@taylorwalton_socfortress 2 жыл бұрын

Hey Chris, I do not have experience with Fortimet but this guide should help: docs.fortinet.com/document/fortianalyzer/7.0.2/administration-guide/19991/configuring-log-forwarding. Just need to point to the wazuh manager

@ryoka1g 2 жыл бұрын

@@taylorwalton_socfortress i actually managed as it was fairly simple (i guess syslog to syslog lol) now im trying to learn how to analyse these syslogs and find any attacks or smth

@marciolima174 2 жыл бұрын

In my case I use opendistro and kibana and wazuh and filebeat on different servers, in sysloghost which ip do I need to set? Since the opendistro opens the interface of the wazuh config.

@taylorwalton_socfortress 2 жыл бұрын

You will need to point your syslog host to the IP of the Wazuh Manager. Wazuh will take those logs and send them to elastic.

@marciolima174 2 жыл бұрын

@@taylorwalton_socfortress Thanks.