AI SECURITY logo AI SECURITY
Wazuh Syslog rsyslog Agentless SIEM Networking

Monitor Agentless Devices in Wazuh with Syslog

Monitor routers, switches, NAS and agentless devices using rsyslog as a collector. Complete setup with templates, filters and Wazuh integration.

AI Security
8 min read
Background

To monitor agentless devices in Wazuh (routers, switches, NAS, firewalls), set up a Linux server with rsyslog as a Syslog Collector: the device sends its logs to port 514, rsyslog organizes them into files, and the Wazuh agent forwards them to the SIEM server.

What does the architecture of the solution look like?

Agentless devices  -----> Linux + rsyslog -----> Wazuh Server
(routers, switches)       (Syslog Collector)     (SIEM)
        |                       |
    Port 514             /var/log/remote/
Video: Monitoring Agentless Devices in Wazuh
Course content

Video: Agentless Devices

20 minutes - Complete setup

Professional implementation

Get hands-on help deploying Wazuh in production

How do you install and configure rsyslog?

On the Linux server that will act as the collector, install rsyslog and enable the reception of remote logs. 

# Install rsyslog
apt update && apt install rsyslog -y

# Edit /etc/rsyslog.conf and uncomment:
module(load="imudp")
input(type="imudp" port="514")
module(load="imtcp")
input(type="imtcp" port="514")

# Restart the service
systemctl restart rsyslog && systemctl enable rsyslog
Talk to our team

How do you configure the firewall with iptables?

Allow connections to port 514 only from authorized devices for greater security. 

# Allow from specific devices
iptables -A INPUT -p udp -s 192.168.1.1 --dport 514 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.1 --dport 514 -j ACCEPT

# Block everything else
iptables -A INPUT -p udp --dport 514 -j DROP
iptables -A INPUT -p tcp --dport 514 -j DROP

# Save the rules
apt install iptables-persistent -y && netfilter-persistent save
Talk to our team

How do you organize logs with templates and filters?

Configure rsyslog to store logs in separate files based on their source (NAS, router, switch, etc.) using templates and IF filters. 

# Templates for organized logs
$template NASLogs,"/var/log/remote/nas.log"
$template RouterLogs,"/var/log/remote/router.log"
$template LogFormat,"%TIMESTAMP% %HOSTNAME% %msg%\n"

# Conditional filters
if $fromhost-ip != '127.0.0.1' then {
    if $msg contains "NAS:" then {
        ?NASLogs;LogFormat
        stop
    }
    if $fromhost-ip == '192.168.1.1' then {
        ?RouterLogs;LogFormat
        stop
    }
}
Talk to our team

How do you integrate the syslog logs with Wazuh?

Add the new log files to the Wazuh agent so it monitors them and forwards them to the SIEM server. 

# Edit /var/ossec/etc/ossec.conf
# Add inside <ossec_config>:

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/remote/nas.log</location>
</localfile>

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/remote/router.log</location>
</localfile>

# Restart the agent
systemctl restart wazuh-agent
Talk to our team

What does the full log flow look like?

  1. The device (NAS, router, etc.) sends logs to port 514
  2. rsyslog receives and filters them according to the configured rules
  3. The logs are written to separate files
  4. The Wazuh agent monitors those files
  5. The logs are sent to the Wazuh server for analysis

Which devices are compatible with this method?

  • Routers: Cisco, MikroTik, Ubiquiti
  • Switches: HP, Dell, Cisco
  • Firewalls: pfSense, FortiGate, OPNsense
  • NAS: Synology, QNAP, TrueNAS
  • Network printers with syslog support
  • IoT devices and legacy systems

Get the complete configuration

Our team can deliver the complete commands, configuration examples for each device type, and a step-by-step walkthrough.

Professional implementation

Related articles:

Background
Back to blog