Configure the Hydra syslog receiver
One of the items required by most customers is syslog ingestion on premises. To allow the Hydra to ingest syslog, the following needs to be done.
NOTE: Please document the IP’s or IP ranges you wish to send syslog to the hydra and also if the source protocol is UDP or TCP.
To apply the relevant configuration changes, please perform the following steps:
SSH to the Hydra
Type sudo -s and Press [ENTER]
Type docker exec -it wazuh bash and Press [ENTER]
Type vim /var/ossec/etc/ossec.conf and Press [ENTER]
Using the arrow keys, move down until after you see “</remote>”
Press [INSERT]
Press [ENTER] twice, it should appear like the screenshot below
Paste the following codeblock into the center line of the open space
XML<remote> <connection>syslog</connection> <port>514</port> <protocol>tcp</protocol> <allowed-ips>10.0.0.0/8</allowed-ips> </remote> <remote> <connection>syslog</connection> <port>514</port> <protocol>tcp</protocol> <allowed-ips>10.0.0.0/8</allowed-ips> </remote>
Edit the lines <allowed-ips> to reflect the IP or IP’s you want to allow sending of syslog from.
NOTE: You can add multiple lines that contain <allowed-ips> as per screenshot belowOnce you have completed your adjustments you can save the file and restart the service
Press [ESC] and then Type [:wq] and Press [ENTER]
Type wazuh-control restart and Press [ENTER], wait for the restart to complete, this make take a few moments.
Check for any errors preventing Wazuh from starting
Once the wazuh service has restarted you can check for the ports to ensure they are listening by Typing the command netstat -plunt and Pressing [ENTER]. This will produce an output like below. Note the underline items