Forward syslog events
ThreatLockDown agents can run on a wide range of operating systems, but when it is not possible due to software incompatibilities or business restrictions, you can forward syslog events to your environment. This is a common use case for network devices such as routers or firewalls.
Since every communication with your environment is performed through the ThreatLockDown agent, you must configure the agent to forward the syslog events. To do so, you have these options:
Rsyslog on Linux
Use rsyslog on a Linux endpoint with a ThreatLockDown agent to log to a file and send those logs to the environment.
Configure rsyslog to receive syslog events and enable the TCP or UDP settings by editing the
/etc/rsyslog.conf
file.For TCP:
$ModLoad imtcp $InputTCPServerRun <PORT>
For UDP:
$ModLoad imudp $UDPServerRun <PORT>
Make sure to review your firewall/SELinux configuration to allow this communication.
Configure rsyslog to forward events to a file by editing the
/etc/rsyslog.conf
file.# Storing Messages from a Remote System into a specific File if $fromhost-ip startswith 'REMOTE_DEVICE_IP' then /var/log/<FILE_NAME.log> & ~
To perform the following steps, make sure to replace <FILE_NAME.log> with the name chosen for this log.
Deploy a ThreatLockDown agent on the same endpoint with rsyslog installed.
Configure the agent to read the syslog output file by editing the
/var/ossec/etc/ossec.conf
file.<localfile> <log_format>syslog</log_format> <location>/var/log/<FILE_NAME.log></location> </localfile>
Run the commands below to restart rsyslog and the ThreatLockDown agent:
# systemctl restart rsyslog # systemctl restart wazuh-agent
Logstash on Windows
Use Logstash on a Windows endpoint with a ThreatLockDown agent to receive syslog, log to a file, and send those logs to the environment.
Install Logstash.
Download the Logstash ZIP package.
Extract the ZIP contents into a local folder, for example, to
C:\logstash\
.
Configure Logstash.
Create the following file:
C:\logstash\config\logstash.conf
input { syslog { port => <PORT> } } output { file { path => "C:\logstash\logs\<FILE_NAME.log>" codec => "line" } }
Ensure to replace <FILE_NAME.log> with the name chosen for this log.
Deploy a ThreatLockDown agent on the same endpoint that has Logstash.
Configure the ThreatLockDown agent to read the Logstash output file by adding the following configuration to the
C:\Program Files (x86)\ossec-agent\ossec.conf
file:<ossec_config> <localfile> <log_format>syslog</log_format> <location>C:\logstash\logs\<FILE_NAME.log></location> </localfile> </ossec_config>
Restart Logstash.
Run Logstash from the command line:
C:\logstash\bin\logstash.bat -f C:\logstash\config\logstash.conf
Install Logstash as a Windows Service either using NSSM or Windows Task Scheduler.
Restart the ThreatLockDown agent. If you are running PowerShell, use the following command:
Restart-Service Wazuh