Forward Windows events using Rsyslog to Wazuh


Pre-requisites:

Wazuh Configuration:

Open a syslog listener by adding the below configuration allowing to receive syslog data from the network subnet (Where my Windows server is located) specified within the allowed-ips tag and restart for applying it:

  <remote>
   <connection>syslog</connection>
   <allowed-ips>192.168.121.0/24</allowed-ips>
  </remote>

Add a rule to capture the logs :

Note that for simplicity, I am using only a rule and not extracting any fields form the logs, if needed, you should create custom decoders/rules

<group name="Winsyslog,">
  <rule id="100410" level="3">
    <program_name>WindowsEventSysLog</program_name>
    <description>Windows syslog event group</description>
  </rule>
</group>

Rsyslog configuration:

Add a tag (using WindowsEventSyslog tag to match with the Wazuh rule) to distinguish the logs and select the Windows channel you want to monitor:

Specify the Wazuh manager IP and port that has Syslog connection open and listening:


The output format can be customized and to benefit from the default Wazuh pre-decoder, for that, you should choose legacy RFC 3164 format and UTF8 including BOM then start the collection:

Result:

All Windows events are captured from our Wazuh manager, An example of a logon window with the tag added:

,

Leave a Reply

Your email address will not be published. Required fields are marked *