-
Hello, Thanks in advance |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 2 replies
-
Hello @AjDenning, You can verify if the Wazuh manager is listening on port 514 with: If you see it there, the transmitted message isn't triggering any alert. You may see the message with: By default, Wazuh has decoders (0575-eset-remote_decoders.xml) and rules (0925-eset-remote_rules.xml) for ESET, but we will need to verify if they match the format of the logs you're receiving. Finally, I would like to remind you that there is a documentation article to forward syslog events to Wazuh step by step: Forward syslog events - Your environment · Wazuh documentation Please let me know if you have any remaining questions. |
Beta Was this translation helpful? Give feedback.
-
Hey @mdiego92 |
Beta Was this translation helpful? Give feedback.
-
Hello @AjDenning, Great! Then you can confirm if you're properly receiving ESET logs with these commands:
If you don't see any events with the second command, it means that the logs you're receiving do not match rules and decoders. In that case, please enable the
Once you collect these logs, please share them with me so I can assist you with the decoders and rules. Please let me know if you have any remaining questions. |
Beta Was this translation helpful? Give feedback.
-
I'm also trying out this feature. I'm using the on-prem version of ESET Protect, and I've enabled syslog. Through the command "tcpdump -i any udp port 514 -AA" on Wazuh, I can see the logs coming in, but I'm unable to capture data in Wazuh. |
Beta Was this translation helpful? Give feedback.
Hello @AjDenning,
You can verify if the Wazuh manager is listening on port 514 with:
netstat -tunap | grep :514
If you see it there, the transmitted message isn't triggering any alert. You may see the message with:
tcpdump -i any port 514 -AA
By default, Wazuh has decoders (0575-eset-remote_decoders.xml) and rules (0925-eset-remote_rules.xml) for ESET, but we will need to verify if they match the format of the logs you're receiving.
Finally, I would like to remind you that there is a documentation article to forward syslog events to Wazuh step by step: Forward syslog events - Your environment · Wazuh documentation
Please let me know if you have any remaining questions.
Looking forward to …