Syslog to Wazuh

kraegkraeg
in Firebox - Dimension, Logging and Reporting

Hello!
We are trying to connect our fireboxes to Wazuh to decode and analyze the syslogs.

Unfortunatly this does not work as espected. It seems the syslog format of the Watchguard boxes is not compatible with Wazuh - see https://github.com/wazuh/wazuh/issues/7052

Does anybody have a solution or workaround?

Thank you very much

Axel

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @kraeg

    The date/timestamp of the log (2020-09-11T07:23:52) is necessary information. I've never heard of a logging system not being able to parse that.

    We support syslog and IBM LEEF, see:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/send_logs_to_syslog_c.html

    It looks like the problem is their ability to parse that log, and they appear to be working on that. Any workarounds will likely be on their side.

    -James Carson
    WatchGuard Customer Support

  • JosepJosep

    Hello guys.
    I think that I've found the solution. If you disable the "Time Stamp" on syslog server definition, using syslog format, the UTC field disapears from syslog message received by wazuh and it could be decoded correctly.
    Hope this will be useful for you.

Sign In to comment.