search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
9.66k stars 1.53k forks source link

[enhancement] virtual wazuh syslog agents #9747

Open StefanSa opened 2 years ago

StefanSa commented 2 years ago

Hi there, Currently all received (r)syslog logs are assigned to the WAZUH server itself, which is not really clear or helpful. Wouldn't it be better to have so called virtual wazuh syslog agents here ? So each sending syslog server is managed in Wazuh as an virtual wazuh syslog agents. This can actually be done easily via the remote syslog config, an example.

var.known_devices:
      - location(or any syslog field): "192.168.1.1"
        wazuh_agentname: "switch01.host.local"
      - serial_number(or any syslog field): "1234234590678557"
        wazuh_agentname: "firewall02.host.local"

Or instead of this single static mapping of the fields, set a dynmaic one. For example, the field name "location" is taken as virtual wazuh syslog agent.

If this example config can be in the remote syslog confic, WAZUH must have decoded the syslog fields "before". Otherwise an enhancement of the decoder would be helpful.

Would something like this (similar) be feasible ?

Grayfoox commented 4 months ago

this would be a big improvement for worflow with routers, firewalls etc.