Configure the Hydra syslog receiver

One of the items required by most customers is syslog ingestion on premises. To allow the Hydra to ingest syslog, the following needs to be done.

NOTE: Please document the IP’s or IP ranges you wish to send syslog to the hydra and also if the source protocol is UDP or TCP.

To apply the relevant configuration changes, please perform the following steps:

1. SSH to the Hydra

2. Type sudo -s and Press [ENTER]

3. Type docker exec -it wazuh bash and Press [ENTER]

4. Type vim /var/ossec/etc/ossec.conf and Press [ENTER]

5. Using the arrow keys, move down until after you see “</remote>”

6. Press [INSERT]

7. Press [ENTER] twice, it should appear like the screenshot below
   

   

8. Paste the following codeblock into the center line of the open space
   

   XML

     <remote>
       <connection>syslog</connection>
       <port>514</port>
       <protocol>tcp</protocol>
       <allowed-ips>10.0.0.0/8</allowed-ips>
     </remote>
     
     <remote>
       <connection>syslog</connection>
       <port>514</port>
       <protocol>tcp</protocol>
       <allowed-ips>10.0.0.0/8</allowed-ips>
     </remote>

9. Edit the lines <allowed-ips> to reflect the IP or IP’s you want to allow sending of syslog from.
   NOTE: You can add multiple lines that contain <allowed-ips> as per screenshot below
   

   

10. Once you have completed your adjustments you can save the file and restart the service

11. Press [ESC] and then Type [:wq] and Press [ENTER]

12. Type wazuh-control restart and Press [ENTER], wait for the restart to complete, this make take a few moments.

    1. Check for any errors preventing Wazuh from starting

13. Once the wazuh service has restarted you can check for the ports to ensure they are listening by Typing the command netstat -plunt and Pressing [ENTER]. This will produce an output like below. Note the underline items