Documentation Center
AlienVault® USM Anywhere™

Wazuh

When you configure Wazuh to send log data to USM Anywhere, you can use the Wazuh plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Wazuh
Device Type Endpoint Security
Connection Type Syslog

Integrating Wazuh

Before you configure the Wazuh integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Wazuh to send syslog messages to USM Anywhere

Log collection and syslog output to USM Anywhere is configured in the /var/ossec/etc/ossec.conf file. For example:

<ossec_config>

<syslog_output>

<server><USM-Anywhere-Sensor-IP-Address></server>

</syslog_output>

<logging>

<log_format>json</log_format>

</logging>

<ossec_config>

In this example, the <server> setting specifies that syslog messages will be directed to USM Anywhere at the specified IP address, and the <log_format> setting chooses JSON format for the logs.

After changing values in the ossec.conf file, you need to enable client-syslog, then restart the wazuh-manager service.

Enabling client-syslog:

# /var/ossec/bin/ossec-control enable client-syslog

For Systemd, restart the wazuh-manager service by running:

# systemctl restart wazuh-manager

For SysV Init, restart the wazuh-manager service by running:

# service wazuh-manager restart

Note: Wazuh documentation on configuring syslog output is provided at https://documentation.wazuh.com/current/user-manual/manager/manual-syslog-output.html.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application
  • base_event_count
  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_3
  • customfield_4
  • customfield_5
  • customfield_6
  • customfield_7
  • customheader_0
  • customheader_1
  • customheader_2
  • customheader_3
  • customheader_4
  • customheader_5
  • customheader_6
  • customheader_7
  • destination_username
  • device_event_category
  • device_external_id
  • event_description
  • event_name
  • event_severity
  • file_hash
  • file_path
  • rep_device_address
  • rep_device_hostname
  • rep_device_rule_id
  • source_process_commandline
  • source_username
  • status

Additional Resources and Troubleshooting

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/logging.html

For troubleshooting, see the vendor documentation.