Hi there,
Currently all received (r)syslog logs are assigned to the WAZUH server itself, which is not really clear or helpful.
Wouldn't it be better to have so called virtual wazuh syslog agents here ?
So each sending syslog server is managed in Wazuh as an virtual wazuh syslog agents.
This can actually be done easily via the remote syslog config, an example.
var.known_devices:
- location(or any syslog field): "192.168.1.1"
wazuh_agentname: "switch01.host.local"
- serial_number(or any syslog field): "1234234590678557"
wazuh_agentname: "firewall02.host.local"
Or instead of this single static mapping of the fields, set a dynmaic one.
For example, the field name "location" is taken as virtual wazuh syslog agent.
If this example config can be in the remote syslog confic, WAZUH must have decoded the syslog fields "before".
Otherwise an enhancement of the decoder would be helpful.
Hi there, Currently all received (r)syslog logs are assigned to the WAZUH server itself, which is not really clear or helpful. Wouldn't it be better to have so called
virtual wazuh syslog agents
here ? So each sending syslog server is managed in Wazuh as anvirtual wazuh syslog agents
. This can actually be done easily via the remote syslog config, an example.Or instead of this single static mapping of the fields, set a dynmaic one. For example, the field name "location" is taken as
virtual wazuh syslog agent
.If this
example config
can be in theremote syslog confic
, WAZUH must have decoded the syslog fields "before". Otherwise an enhancement of the decoder would be helpful.Would something like this (similar) be feasible ?