Configuring syslog on the ThreatLockDown server

The ThreatLockDown server can collect logs via syslog from endpoints such as firewalls, switches, routers, and other devices that don’t support the installation of ThreatLockDown agents. Perform the following steps on the ThreatLockDown server to receive syslog messages on a specific port.

  1. Add the following configuration in between the <ossec_config> tags of the ThreatLockDown server /var/ossec/etc/ossec.conf file to listen for syslog messages on TCP port 514:

    <remote>
      <connection>syslog</connection>
      <port>514</port>
      <protocol>tcp</protocol>
      <allowed-ips>192.168.2.15/24</allowed-ips>
      <local_ip>192.168.2.10</local_ip>
    </remote>
    

    Where:

    • <connection> specifies the type of connection to accept. This value can either be secure or syslog.

    • <port> is the port used to listen for incoming syslog messages from endpoints. We use port 514 in the example above.

    • <protocol> is the protocol used to listen for incoming syslog messages from endpoints. The allowed values are either tcp or udp.

    • <allowed-ips> is the IP address or network range of the endpoints forwarding events to the ThreatLockDown server. In the example above, we use 192.168.2.15/24.

    • <local_ip> is the IP address of the ThreatLockDown server listening for incoming log messages. In the example above, we use 192.168.2.10.

    Refer to remote - local configuration documentation for more information on remote syslog options.

  2. Restart the ThreatLockDown manager to apply the changes:

    # systemctl restart wazuh-manager
    

Note

The allowed-ips label is mandatory. The configuration will not take effect without it.

If you have a central logging server like Syslog or Logstash in place, you can install the ThreatLockDown agent on that server to streamline log collection. This setup enables seamless forwarding of logs from multiple sources to the ThreatLockDown server, facilitating comprehensive analysis.