Wazuh is an open-source security information and event management (SIEM) tool. It provides security information, log management, vulnerability detection, intrusion detection, and much more.
Prerequisites
Configure Syslog Server on Wazuh Manager:
Login to the console of your Wazuh Server and perform the following steps :
Open Wazuh config file (/var/ossec/etc/ossec.conf) and add following lines at the bottom of the file:
syslog
514
tcp
0.0.0.0/0
[wazuh_serverIP]
Restart the manager to apply the changes:
sudo systemctl restart wazuh-manager
Connect the Syslog Server with the Ubuntu Syslog Client :
Login to your Ubuntu server console and perform the following steps -
Open the syslog config file (/etc/rsyslog.conf) and uncomment UDP and TCP connection field:
Open the file /etc/rsyslog.d/50-default.conf and add following parameters at the bottom:
*.* @@[wazuh_syslogIP]:514
Now apply all changes by restart syslog service:
sudo systemctl restart rsyslog.service
Check the syslog service status for confirm that syslog server proper connect with client:
sudo systemctl status rsyslog.service
Open the Web UI of the Wazuh dashboard by pointing your browser to :
URL: https://[wazuh_dashboard_IP]
Go to the Wazuh Home section and click the Security Event field.
Search events by filter with specific parameters like hostname and see network related event successfully.
Another way to see network log is by going left and clicking the Discover tab :
Conclusion
Leveraging Wazuh syslog for network log monitoring strengthens an organization's security posture by providing real-time visibility into network activities, enabling timely responses to security incidents and supporting overall threat detection and mitigation efforts.