Wazuh SIEM Integrations

Configure monitoring sources for Wazuh SIEM: agents for endpoint detection, syslog for network devices, and API integrations for security platforms.

Overview

Wazuh Monitoring Architecture
Source Type Protocol Use Case

Wazuh Agent

TCP 1514/1515

Endpoint detection, file integrity, vulnerability scanning

Syslog

UDP 514

Network devices, firewalls, appliances

API Integration

HTTPS REST

Security platform correlation, automated response

Prerequisites

Wazuh uses LoadBalancer VIPs, NOT the k3s node IP!

Service VIP Ports Purpose

wazuh

10.50.1.134

55000, 1515, 514

API, agent registration, syslog

wazuh-workers

10.50.1.133

1514

Agent events

indexer

10.50.1.131

9200

OpenSearch (netapi wazuh queries)

dashboard

10.50.1.132

443

Web UI

DNS entries required:

FQDN IP Notes

wazuh.inside.domusdigitalis.dev

10.50.1.134

Syslog, API, registration

wazuh-indexer.inside.domusdigitalis.dev

10.50.1.131

OpenSearch queries

wazuh-dashboard.inside.domusdigitalis.dev

10.50.1.132

Web UI (optional)

Get current VIPs:

kubectl get svc -n wazuh -o custom-columns='NAME:.metadata.name,VIP:.status.loadBalancer.ingress[0].ip,PORTS:.spec.ports[*].port'

  • Firewall ports open on k3s-master-01:

    sudo firewall-cmd --list-ports | grep -E "514|1514|1515"

  • Manager accessible:

    nc -zv 10.50.1.134 1515

Phase 1: Wazuh Agents

1.1 Linux Agent (Rocky/RHEL)

Target hosts: vault-01, k3s-master-01, bind-01

# Import GPG key
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
# Add repository
cat << 'EOF' | sudo tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF
# Install agent
sudo dnf install wazuh-agent -y
# Configure manager address (use Wazuh LoadBalancer VIP)
sudo sed -i 's/MANAGER_IP/10.50.1.134/' /var/ossec/etc/ossec.conf
# Start agent
sudo systemctl daemon-reload
sudo systemctl enable --now wazuh-agent
# Verify
sudo systemctl status wazuh-agent --no-pager

1.2 Linux Agent (Arch)

Target hosts: kvm-01, kvm-02, modestus-razer, modestus-aw, modestus-p50

# Install from AUR
yay -S wazuh-agent
# Configure manager address (use Wazuh LoadBalancer VIP)
sudo sed -i 's/<address>MANAGER_IP<\/address>/<address>10.50.1.134<\/address>/' /var/ossec/etc/ossec.conf
# Start agent
sudo systemctl enable --now wazuh-agent

1.3 Linux Agent (Fedora)

Target hosts: keycloak-01

# Import GPG key
sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
# Add repository
cat << 'EOF' | sudo tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=Fedora - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF
sudo dnf install wazuh-agent -y
sudo sed -i 's/MANAGER_IP/10.50.1.134/' /var/ossec/etc/ossec.conf
sudo systemctl enable --now wazuh-agent

1.4 Windows Agent

Target hosts: home-dc01

# Download installer
Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.14.3-1.msi -OutFile wazuh-agent.msi
# Install with manager address (use Wazuh LoadBalancer VIP)
msiexec.exe /i wazuh-agent.msi /q WAZUH_MANAGER="10.50.1.134"
# Start service
NET START WazuhSvc
# Verify
Get-Service WazuhSvc

1.5 Verify Agent Registration

On k3s-master-01:

kubectl exec -n wazuh wazuh-manager-master-0 -- /var/ossec/bin/agent_control -l

Expected output:

Wazuh agent_control. List of available agents:
   ID: 000, Name: wazuh-manager-master-0 (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: vault-01, IP: 10.50.1.60, Active
   ID: 002, Name: kvm-01, IP: 10.50.1.99, Active
   ...

Phase 2: Syslog Sources

Syslog requires BOTH logall AND Filebeat archives enabled to be searchable in OpenSearch!

By default:

  1. logall: no in ossec.conf → syslog events not written to archives.log

  2. archives: enabled: false in filebeat.yml → archives.log not indexed to OpenSearch

Without both enabled, syslog data is received but NOT searchable via API or Dashboard.

See Wazuh Troubleshooting: Archives Not Indexed for the fix.

2.1 pfSense Syslog

Via API (preferred):

dsource d000 dev/network
curl -ks "https://${PFSENSE_HOST}/api/v2/status/logs/settings" \
  -X PATCH \
  -H "X-API-Key: ${PFSENSE_API_SECRET}" \
  -H "Content-Type: application/json" \
  -d '{
    "enableremotelogging": true,
    "remoteserver": "10.50.1.134",
    "logall": true
  }' | jq .

Do NOT include :514 in remoteserver - UDP 514 is the default syslog port. Do NOT include empty remoteserver2/remoteserver3 fields - API rejects them.
Expected response
{
  "code": 200,
  "status": "ok",
  "response_id": "SUCCESS",
  "data": {
    "enableremotelogging": true,
    "remoteserver": "10.50.1.134",
    "logall": true
  }
}

Via Web UI (alternative):

  1. Status → System Logs → Settings

  2. Remote Logging Options:

    • Enable Remote Logging: ✓

    • Source Address: Any

    • IP Protocol: IPv4

    • Remote log servers: 10.50.1.134:514

    • Remote Syslog Contents: Everything

Verify on Wazuh:

kubectl exec -n wazuh wazuh-manager-master-0 -- tail -20 /var/ossec/logs/archives/archives.log | grep -i pfsense

2.2 Cisco ISE Syslog

ISE syslog configuration is GUI only - no API endpoint available.

Via ISE GUI:

  1. Administration → System → Logging → Remote Logging Targets

  2. Add new target:

    • Name: wazuh-siem

    • Host/IP: 10.50.1.134

    • Port: 514

    • Facility: LOCAL6

  3. Administration → System → Logging → Logging Categories

  4. Select categories to send (e.g., Failed Attempts, Passed Authentications)

  5. Assign wazuh-siem target to each category

2.3 Cisco Switch Syslog

C9300 Core Switch (10.50.1.10):

Via netapi (preferred):

dsource d000 dev/network
netapi ios -H 10.50.1.10 config \
  "logging host 10.50.1.134" \
  "logging trap informational" \
  "logging source-interface Vlan100" \
  "logging facility local6" \
  --save

Via SSH (manual):

configure terminal
logging host 10.50.1.134
logging trap informational
logging source-interface Vlan100
logging facility local6
end
write memory

Verify:

netapi ios -H 10.50.1.10 run "show logging | inc 10.50.1.134"

2.4 Cisco WLC Syslog

9800-CL WLC (10.50.1.40):

Via netapi (preferred):

dsource d000 dev/network
netapi wlc config \
  "logging host 10.50.1.134" \
  "logging trap informational" \
  --save

Via SSH (manual):

configure terminal
logging host 10.50.1.134
logging trap informational
end
write memory

Verify:

netapi wlc run "show logging | inc 10.50.1.134"

2.5 Synology NAS Syslog

Via DSM Web UI:

  1. Control Panel → Log Center → Log Sending

  2. Send logs to syslog server: ✓

  3. Server: 10.50.1.134

  4. Port: 514

  5. Protocol: UDP

  6. Format: BSD (RFC 3164)

2.6 Secure Syslog (TLS) with Vault PKI

For sensitive environments, configure TLS-encrypted syslog using Vault PKI certificates.

2.6.1 Issue Certificate for Wazuh

vault write pki_int/issue/domus-server \
  common_name="wazuh.inside.domusdigitalis.dev" \
  alt_names="wazuh-manager.inside.domusdigitalis.dev" \
  ttl="8760h" > /tmp/wazuh-syslog.json
jq -r '.data.certificate' /tmp/wazuh-syslog.json > /tmp/wazuh-syslog.crt
jq -r '.data.private_key' /tmp/wazuh-syslog.json > /tmp/wazuh-syslog.key
jq -r '.data.ca_chain[]' /tmp/wazuh-syslog.json > /tmp/wazuh-ca-chain.crt

2.6.2 Configure Wazuh TLS Syslog Receiver

Copy certs to Wazuh manager:

kubectl cp /tmp/wazuh-syslog.crt wazuh/wazuh-manager-master-0:/var/ossec/etc/sslmanager.cert
kubectl cp /tmp/wazuh-syslog.key wazuh/wazuh-manager-master-0:/var/ossec/etc/sslmanager.key

Add TLS syslog listener to ossec.conf:

kubectl exec -n wazuh wazuh-manager-master-0 -- sed -i '/<\/ossec_config>/i \
  <remote>\
    <connection>secure</connection>\
    <port>6514</port>\
    <protocol>tcp</protocol>\
  </remote>' /var/ossec/etc/ossec.conf

Restart manager:

kubectl exec -n wazuh wazuh-manager-master-0 -- /var/ossec/bin/wazuh-control restart

2.6.3 Configure ISE for TLS Syslog

  1. Administration → System → Certificates → Trusted Certificates

  2. Import wazuh-ca-chain.crt (DOMUS-ISSUING-CA + DOMUS-ROOT-CA)

  3. Administration → System → Logging → Remote Logging Targets

  4. Edit wazuh-siem target:

    • Port: 6514

    • Protocol: TCP

    • Enable Secure Syslog: ✓

  5. Save and test

2.6.4 Firewall Update

ssh k3s-master-01 "sudo firewall-cmd --add-port=6514/tcp --permanent && sudo firewall-cmd --reload"

Phase 3: API Integrations

3.1 ISE API Integration

Wazuh can pull ISE data via ERS/OpenAPI for: - Active sessions correlation - Endpoint posture status - Authentication failures

Create integration script:

cat << 'EOF' | kubectl exec -i -n wazuh wazuh-manager-master-0 -- tee /var/ossec/integrations/custom-ise.py
#!/usr/bin/env python3
"""
ISE API integration for Wazuh
Pulls authentication failures and correlates with Wazuh alerts
"""

import json
import sys
import requests
from requests.auth import HTTPBasicAuth
import urllib3
urllib3.disable_warnings()

ISE_HOST = os.environ.get("ISE_HOST", "10.50.1.20")  # {ise-01-ip}
ISE_USER = os.environ.get("ISE_USER", "admin")  # Use read-only API account
ISE_PASS = os.environ.get("ISE_PASS", "")  # Set via dsource d000 dev/network

def get_failed_auths():
    url = f"https://{ISE_HOST}:9060/ers/config/failedauthentication"
    headers = {"Accept": "application/json"}
    try:
        r = requests.get(url, auth=HTTPBasicAuth(ISE_USER, ISE_PASS),
                        headers=headers, verify=False, timeout=30)
        return r.json()
    except Exception as e:
        return {"error": str(e)}

if __name__ == "__main__":
    result = get_failed_auths()
    print(json.dumps(result))
EOF

Full ISE integration requires configuring Wazuh’s integration framework. See Wazuh documentation for custom integrations.

3.2 pfSense API Integration

Use netapi for pfSense correlation:

# Example: Get blocked connections from pfSense
dsource d000 dev/network
netapi pfsense firewall-log --blocked --limit 50

3.3 Vault API Integration

Monitor Vault audit logs:

Vault audit logs can be sent to Wazuh via syslog or file monitoring.

On vault-01:

# Vault audit is at /var/log/vault/audit.log
# Add to ossec.conf for file monitoring
sudo tee -a /var/ossec/etc/ossec.conf << 'EOF'

<localfile>
  <log_format>json</log_format>
  <location>/var/log/vault/audit.log</location>
</localfile>
EOF
sudo systemctl restart wazuh-agent

Phase 4: Custom Rules

4.1 ISE Authentication Failures

On k3s-master-01:

kubectl exec -i -n wazuh wazuh-manager-master-0 -- tee -a /var/ossec/etc/rules/local_rules.xml << 'EOF'

<!-- ISE Authentication Failures -->
<group name="ise,authentication,">
  <rule id="100100" level="5">
    <decoded_as>syslog</decoded_as>
    <match>RADIUS: Authentication failed</match>
    <description>ISE: RADIUS authentication failed</description>
  </rule>

  <rule id="100101" level="10" frequency="5" timeframe="60">
    <if_matched_sid>100100</if_matched_sid>
    <same_source_ip/>
    <description>ISE: Multiple authentication failures from same source</description>
  </rule>
</group>
EOF

4.2 pfSense Firewall Blocks

kubectl exec -i -n wazuh wazuh-manager-master-0 -- tee -a /var/ossec/etc/rules/local_rules.xml << 'EOF'

<!-- pfSense Firewall -->
<group name="pfsense,firewall,">
  <rule id="100200" level="3">
    <decoded_as>syslog</decoded_as>
    <match>filterlog:</match>
    <match>block</match>
    <description>pfSense: Firewall block</description>
  </rule>

  <rule id="100201" level="8" frequency="20" timeframe="60">
    <if_matched_sid>100200</if_matched_sid>
    <same_source_ip/>
    <description>pfSense: Potential port scan detected</description>
  </rule>
</group>
EOF

4.3 Restart Manager

kubectl exec -n wazuh wazuh-manager-master-0 -- /var/ossec/bin/wazuh-control restart

Verification

Agent Status

kubectl exec -n wazuh wazuh-manager-master-0 -- /var/ossec/bin/agent_control -l | awk '/Active/{count++} END{print "Active agents:", count}'

Recent Alerts

kubectl exec -n wazuh wazuh-manager-master-0 -- tail -50 /var/ossec/logs/alerts/alerts.json | jq -r '.rule.description' | sort | uniq -c | sort -rn | head -10

Syslog Sources

kubectl exec -n wazuh wazuh-manager-master-0 -- cat /var/ossec/logs/archives/archives.log | awk -F: '{print $4}' | sort | uniq -c | sort -rn | head -10

Troubleshooting

Agent Not Connecting

# On agent host
sudo /var/ossec/bin/wazuh-control status
sudo tail -50 /var/ossec/logs/ossec.log
# Check connectivity (use Wazuh LoadBalancer VIP)
nc -zv 10.50.1.134 1515  # Registration
nc -zv 10.50.1.133 1514  # Agent events (workers service)

Syslog Not Arriving

# Check if syslog port is listening
kubectl exec -n wazuh wazuh-manager-master-0 -- ss -ulnp | grep 514
# Test syslog send (use Wazuh LoadBalancer VIP)
echo "<14>Test message from $(hostname)" | nc -u 10.50.1.134 514

Rules Not Triggering

# Test rule syntax
kubectl exec -n wazuh wazuh-manager-master-0 -- /var/ossec/bin/wazuh-logtest

Paste sample log and verify rule matches.

Quick Reference

Task Command Location

List agents

/var/ossec/bin/agent_control -l

Manager pod

Agent status

systemctl status wazuh-agent

Agent host

View alerts

tail /var/ossec/logs/alerts/alerts.json

Manager pod

Test rules

/var/ossec/bin/wazuh-logtest

Manager pod

Restart manager

/var/ossec/bin/wazuh-control restart

Manager pod

Syslog Analysis Commands

Via netapi (preferred)

# Count events by source (last 24h)
netapi wazuh sources

# Recent events with filtering
netapi wazuh recent --source 10.50.1.10 --limit 20

Direct kubectl

Count by syslog source IP:

ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- \
  awk -F'->' '{print \$2}' /var/ossec/logs/archives/archives.log | \
  awk '{print \$1}' | sort | uniq -c | sort -rn"
Example output
   4850 10.50.1.1      # pfSense
    859 df             # Disk check
     23 10.50.1.20     # ISE
     12 10.50.1.10     # Switch
      1 10.50.1.40     # WLC

Filter by device:

# WLC logs
ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- \
  grep '10.50.1.40' /var/ossec/logs/archives/archives.log | tail -10"

# Switch logs
ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- \
  grep '10.50.1.10' /var/ossec/logs/archives/archives.log | tail -10"

# ISE authentication events
ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- \
  grep 'CISE_Passed_Authentications\|CISE_Failed_Attempts' /var/ossec/logs/archives/archives.log | tail -10"

Recent raw logs:

ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- \
  tail -100 /var/ossec/logs/archives/archives.log"

Filter by log type:

# Firewall blocks only
ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- \
  grep 'filterlog.*block' /var/ossec/logs/archives/archives.log | tail -20"

# 802.1X failures
ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- \
  grep 'DOT1X.*FAIL' /var/ossec/logs/archives/archives.log | tail -10"

# Wireless client events
ssh k3s-master-01 "kubectl exec -n wazuh wazuh-manager-master-0 -- \
  grep 'CLIENT_ORCH_LOG' /var/ossec/logs/archives/archives.log | tail -10"

See Also