Pre-requisites:
- Windows Rsyslog https://www.rsyslog.com/windows-agent/
- Wazuh stack (4 .8.1) https://documentation.wazuh.com/current/installation-guide/index.html
Wazuh Configuration:
Open a syslog listener by adding the below configuration allowing to receive syslog data from the network subnet (Where my Windows server is located) specified within the allowed-ips
tag and restart for applying it:
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.121.0/24</allowed-ips>
</remote>
Add a rule to capture the logs :
Note that for simplicity, I am using only a rule and not extracting any fields form the logs, if needed, you should create custom decoders/rules
<group name="Winsyslog,">
<rule id="100410" level="3">
<program_name>WindowsEventSysLog</program_name>
<description>Windows syslog event group</description>
</rule>
</group>
Rsyslog configuration:
Add a tag (using WindowsEventSyslog tag to match with the Wazuh rule) to distinguish the logs and select the Windows channel you want to monitor:
Specify the Wazuh manager IP and port that has Syslog connection open and listening:
The output format can be customized and to benefit from the default Wazuh pre-decoder, for that, you should choose legacy RFC 3164 format and UTF8 including BOM then start the collection:
Result:
All Windows events are captured from our Wazuh manager, An example of a logon window with the tag added: