Syslog Ingestion? #553
Replies: 3 comments 8 replies
-
|
Focus on agent installation. Agents collect syslog logs and send to LME https://github.com/cisagov/LME/tree/main/docs/markdown/agents You need an elastic and/or wazuh agent for linux installed on your endpoint. |
Beta Was this translation helpful? Give feedback.
-
|
|
Beta Was this translation helpful? Give feedback.
-
|
Ah yes. Fair point. Can you explain where exactly when you say it forwards the message to your windows server -- where does it go? Is there a logfile? |
Beta Was this translation helpful? Give feedback.
-
|
Essentially you have to POINT the agent to this information somewhere. If its not Forwarded Events and its somewhere else? You will have to know where that it is. You may be able to use a custom config with elastic / wazuh to monitor that file and send the data to elasticsearch. But the default configuration will not pick that up automatically -- no. We will have to configure it somewhere. This is a integration you can use for generic log files: https://www.elastic.co/guide/en/integrations/current/log.html |
Beta Was this translation helpful? Give feedback.
-
|
Another question would be -- I assume this device has some type of syslog that can forward events ? Since its forwarding to the windows machine? What is it using to this ? Rsyslog or something like that? You MAY be able to configure it to send directly to elasticsearch -- I'm just not certain of your exact configuration |
Beta Was this translation helpful? Give feedback.
-
|
All I have are a bunch of switches and APs. Right now they send their logs directly to our Splunk server using their syslog settings on the switch/AP configuration and Splunk just ingests them just like it receives Windows Logs from the Splunk Universal Log Forwarder so there is a single logging system that receives Windows and switch/AP logs. I'd like to update those switches and APs to just send the logs to the LME server but cannot figure out how to get Elastic/LME to ingest them. This seems like a common use case (or at least a useful setup for LME if it could get syslog data in some easy way in a future version). It sounds like currently the way to go is to set up a syslog server on one of our Windows/Linux servers that has the Elastic agent, set the Elastic agent configuration on to look at the Syslog flat file which will then send it to LME. I'm happy to try that out and see what the output looks like. |
Beta Was this translation helpful? Give feedback.
-
|
Thats interesting -- ive never configured syslog to directly send to splunk/elasticsearch before but i assume you could just change the config to elasticsearch instead... But yes you could also do it with a server where you collect logs to |
Beta Was this translation helpful? Give feedback.
-
|
We did some more research on this. Wazuh actually comes with an easy way to ingest syslog See here: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html So, if you edit the file located at: /opt/lme/config/wazuh_cluster/wazuh_manager.conf And add the configuration in the link to match YOUR syslog forwarding information (allowed IP's etc) -- wazuh will be able to consume those logs. Ensure the formatting is correct you should see another configuration in the config you can match it up with. Also configure syslog on those devices to send to the LME server at a matching port. Then restart the container This way you dont need an additional server |
Beta Was this translation helpful? Give feedback.
-
I need to ingest data from devices that can only send logs via syslog. Can I send them directly to the LME server (and if so, how, because I can't find a way to do it--syslog isn't mentioned in the documentation for a logging product a single time) or do I need to send them to a Windows Server and use like Log Event Forwarder or something like I can do with Splunk?
Beta Was this translation helpful? Give feedback.
All reactions