Pushing Mikrotik Logs into Wazuh SIEM
Introduction
One of the core competitive advantages of a Mikrotik device is the possibility of scripting and doing deep-dive configurations. Therefore, of course if you are somehow paranoid around successful logins or login attempts on your Mikrotik device, you can either run notification scripts on the device itself or you can simply onboard the device to a SIEM of your choice, e.g. Wazuh. This brings along the benefit that you have all your logs in one bucket for further analysis and notification
How to Start?
On wazuh.com you can find a blog article for this scenario. However, the article uses an ubuntu endpoint to forward the Mikrotik logs to the Wazuh instance. Meaning: Mikrotik send the logs the ubuntu endpoint which forwards it to the Wazuh instance. Sounds strange and complicated for a Wazuh-newbie like me - why not sending the syslog logs directly to the Wazuh instance? The way in the article requires the ubuntu endpoint to be online to get the logs. If you send the logs from the Mikrotik device directly to Wazuh, you don’t need the endpoint to be constantly online. The following steps assume that you have a Wazuh instance up and running already.
Step By Step Guidance
1st Step: Enable Receiving of Syslog Data on your Wazuh Instance:
Edit the ossec.conf
which you can find at /var/ossec/etc/ossec.conf
and add the following lines below. Ideally, you add it above the already existing <remote>
-section - substitute the X
with the right IPs in your network. If you additionally want to test whether the logs are coming in properly, edit the <logall>no</logall>
to <logall>yes</logall>
. This pushes all your logs into /var/ossec/logs/archives/archives.log
where you can check that logs are properly received once you configured your Mikrotik devices (check out this link for further information)
1
2
3
4
5
6
7
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>X.X.X.X</allowed-ips>
<local_ip>X.X.X.X</local_ip>
</remote>
Restart your Wazuh instance with systemctl restart wazuh-manager
2nd Step: Configure the Mikrotik Device to send syslog data to Wazuh
This is quite easy to set up - you can follow the instructions here. Important: the settings must match your IP settings from the Wazuh config above. Use the step I mentioned above to test whether data actually comes in via archives.log
.
Once you confirmed that log data is received, turn off the logall feature by setting <logall>no</logall>
in the ossec.conf
.
3rd Step: Decoder and Rule Setting within Wazuh
Step 1 and 2 ensured that the logs get actually sent and received, however, Wazuh requires you to “interpret” the log data. For this, you need corresponding decoders and rules that help ingesting and processing new log sources. A step by step guidance can be found here. In case you want to take the shortcut, you can take already existing decoders and rules for which we have to thank this user here. I can confirm that this approach works with RouterOS 7.13.4 and Wazuh 4.7.
In any case, you need to put the rule files under /var/ossec/etc/rules/
and the decoder files under /var/ossec/etc/decoders/
and restart the Wazuh afterwards.
4th Step: Test the setup I recommend to test the setup and ensure that all logs are properly coming through. In case of success, you should see within your Wazuh Dashboard messages incoming such as Mikrotik log: User admin logged in from XXXX via web
.