Why rsyslog to Wazuh?
Wazuh normally collects logs through its own agent, but there are situations where syslog forwarding makes more sense:
- The host can’t run the Wazuh agent (embedded systems, appliances, immutable OSes)
- You want visibility fast without deploying an agent
- You’re forwarding from network devices that only speak syslog
- You need a lightweight option for lab or training environments
- To prevent log tampering
rsyslog gives you a quick path to centralized log collection with minimal footprint on the client.
Prerequisites
- A running Wazuh server (this guide uses Wazuh 4.x)
- A Linux client with rsyslog installed
- Network connectivity between client and server on port 514
Installing rsyslog
# RHEL/Fedora/CentOS
sudo dnf install rsyslog
sudo systemctl enable --now rsyslog
# Ubuntu/Debian
sudo apt install rsyslog
sudo systemctl enable --now rsyslog
Ubuntu and Debian typically ship rsyslog by default, but it doesn’t hurt to verify.
Fedora CoreOS note: FCOS is an immutable OS — it uses journald by default
and doesn’t ship rsyslog. Install it with rpm-ostree install rsyslog and
reboot. The rsyslog config file and installation can be baked into a
Butane/Ignition config for reproducible deployments.
Client Configuration
Create a forwarding config file on the client:
sudo tee /etc/rsyslog.d/wazuh.conf > /dev/null << 'EOF'
# Forward auth/security logs to Wazuh via TCP (reliable delivery)
auth,authpriv.* @@wazuh.example.com:514
# Forward all logs via UDP (broader visibility)
*.* @wazuh.example.com:514
EOF
Replace wazuh.example.com with your Wazuh server’s hostname or IP.
TCP vs UDP
@@= TCP — use this for auth logs where you can’t afford to drop messages@= UDP — fine for general system logs where occasional loss is acceptable
You can forward everything over TCP if you prefer reliability across the board:
*.* @@wazuh.example.com:514
Restart rsyslog
sudo systemctl restart rsyslog
Server Configuration
By default, Wazuh only listens for agent connections on port 1514. You need to explicitly enable syslog listeners.
Edit /var/ossec/etc/ossec.conf on the Wazuh server and add these <remote>
blocks (after the existing <remote> section):
<!-- Syslog listener - TCP -->
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>172.16.1.0/24</allowed-ips>
</remote>
<!-- Syslog listener - UDP -->
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>172.16.1.0/24</allowed-ips>
</remote>
Adjust <allowed-ips> to match your network. You can use a single IP
(172.16.1.20), a subnet (172.16.1.0/24), or any (not recommended).
Restart the Wazuh manager:
sudo systemctl restart wazuh-manager
Verification
1. Test from the client
Send a test log message:
logger -p auth.info "Test syslog forwarding to Wazuh"
2. Check rsyslog is sending
sudo systemctl status rsyslog
Look for any errors related to the remote destination. If the server is unreachable, rsyslog will log connection failures.
3. Check Wazuh is receiving
On the Wazuh server, check the archives log:
sudo tail -f /var/ossec/logs/archives/archives.log
You should see your test message appear. If you’re using the Wazuh dashboard, check under Security events — syslog messages will show up with the source IP of your client.
4. Trigger a real event
Generate a failed SSH login to confirm auth logs flow end to end:
ssh baduser@localhost
# Type any password, let it fail
Then check the Wazuh dashboard for the corresponding alert.
Troubleshooting
No logs arriving at Wazuh:
- Verify port 514 is open on the server firewall (
firewall-cmd --list-portsorss -tlnp | grep 514) - Check
<allowed-ips>matches the client’s IP - Confirm rsyslog is running on the client:
systemctl status rsyslog - Check for DNS resolution issues if using a hostname — try the IP address instead
Logs arrive but no alerts in dashboard:
- Syslog messages go to archives by default. Check
/var/ossec/logs/archives/archives.log - Ensure
<logall>yes</logall>is set inossec.confif you want to see everything - Wazuh needs matching decoder/rules to generate alerts — standard sshd messages are decoded out of the box
rsyslog queuing warnings:
- If the Wazuh server goes down, rsyslog queues messages in memory by default
- For persistent queuing (survives rsyslog restart), add to your config:
$ActionQueueType LinkedList
$ActionQueueFileName wazuh_fwd
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
rsyslog vs Wazuh Agent
| rsyslog | Wazuh Agent | |
|---|---|---|
| Setup | Drop-in config file | Install package, register with server |
| Log collection | Syslog messages only | Syslog + custom log files |
| File integrity | No | Yes (FIM) |
| Rootkit detection | No | Yes |
| Vulnerability scan | No | Yes |
| Active response | No | Yes (block IPs, kill processes) |
| Overhead | Minimal | Light but more than rsyslog |
Use rsyslog when you need quick, lightweight log forwarding. Use the Wazuh agent when you want the full feature set.