CR-2026-02-26: Wazuh SIEM Network Integration

Change Summary

CR ID

CR-2026-02-26-001

Date

2026-02-26

Priority

P1

Type

SIEM Integration

Status

In Progress

Objective

Integrate all network infrastructure with Wazuh SIEM for centralized security monitoring, compliance logging, and incident response.

Scope

Network Infrastructure (Syslog)

Device Type IP Status

pfSense-01

Firewall

10.50.1.1

SENDING

ISE-01

NAC

10.50.1.20

PENDING

9800-WLC

Wireless

10.50.1.40

PENDING

C9300-01

Core Switch

10.50.1.11

PENDING

3560CX-01

Access Switch

10.50.1.10

PENDING

bind-01

DNS

10.50.1.90

PENDING

Servers (Wazuh Agent)

  • vault-01, kvm-01, ipa-01, keycloak-01, k3s-master-01, home-dc01, nas-01

Workstations (Wazuh Agent)

  • modestus-razer, modestus-aw, modestus-p50

Key Blocker Identified

Archives not indexing in OpenSearch

Data reaches /var/ossec/logs/archives/archives.log but is NOT being indexed. No wazuh-archives-4.x-2026.02.26 indices exist.

CLI Mastery: Wazuh Diagnostics

Full Diagnostic One-Liner

dsource d000 dev/observability && \
echo "=== CLUSTER ===" && netapi wazuh health | jq -r '.status' && \
echo "=== ARCHIVES ===" && netapi wazuh indices --raw 2>/dev/null | \
  jq -r '.[] | select(.index | contains("archives")) | "\(.index): \(.docs.count) docs"' && \
echo "=== PROCESSES ===" && ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- pgrep -a filebeat" 2>/dev/null | head -1 && \
echo "=== ARCHIVE LOG ===" && ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- wc -l /var/ossec/logs/archives/archives.log 2>/dev/null"

Process Check with awk

ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- ps aux" | \
  awk '/filebeat|logcollector|analysisd/ {printf "%-20s PID:%-6s CPU:%-5s MEM:%-5s\n", $11, $2, $3, $4}'

Filebeat Error Extraction

ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- cat /var/log/filebeat/filebeat* 2>/dev/null" | \
  grep -iE 'error|failed|refused|timeout' | tail -20 | \
  awk '{gsub(/T/, " "); print}' | cut -c1-120

ossec.conf Archives Settings

ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- cat /var/ossec/etc/ossec.conf" | \
  awk '/<global>/,/<\/global>/' | grep -E 'logall|jsonout|archives'

# Expected (for archives to work):
# <logall>yes</logall>
# <logall_json>yes</logall_json>

CLI Mastery: Syslog Configuration

pfSense Syslog

# Enable
netapi pfsense syslog enable --server 10.50.1.134 --categories filter,system

# Verify
netapi pfsense syslog show

IOS-XE Syslog (WLC, C9300)

netapi wlc config \
  "logging host 10.50.1.134" \
  "logging trap informational" \
  "logging source-interface Loopback0" \
  "logging origin-id hostname" \
  --save

ISE Syslog Target

netapi ise api-call ers POST '/config/externalSyslogTarget' --data '{
  "ExternalSyslogTarget": {
    "name": "Wazuh-SIEM",
    "description": "Wazuh SIEM syslog collector",
    "host": "10.50.1.134",
    "port": 514,
    "protocol": "UDP"
  }
}'

CLI Mastery: jq + awk Patterns

Pattern 1: API → jq → awk Table

<api_call> | jq -r '.items[] | "\(.field1)\t\(.field2)"' | \
  awk -F'\t' 'BEGIN {printf "%-20s %s\n", "COL1", "COL2"} {printf "%-20s %s\n", $1, $2}'

Pattern 2: awk Histogram

<data> | awk '{bar=""; for(i=0;i<$1/10;i++) bar=bar"█"; printf "%6d %s %s\n", $1, bar, $2}'

Pattern 3: xargs Chain (No Temp Vars)

<get_id> | jq -r '.id' | xargs -I{} <use_id_{}>

Pattern 4: Conditional jq Output

<command> | jq -r 'if .status == "success" then "✓ \(.message)" else "✗ \(.error)" end'

Key Lessons

Issue Solution

pfSense REST API lacks syslog

Use SSH-based PHP execution via netapi

Archives not indexing

Check <logall>yes</logall> in ossec.conf + Filebeat status

VyOS lacks Cisco DHCP Option 43

Use DNS CAPWAP discovery for WLC

jq + awk combination

jq for JSON parsing, awk for tabular formatting

Related Documentation