Skip to main content

OpenVPN Support Center

Welcome to the new and improved OpenVPN Support Center.

Search the Support Center

Access Server: Enable and Forward Syslog Information to a Wazuh Server

  • Updated

Description

Enabling Syslog logging on Access Server enhances visibility into system activity by sending logs to a centralized platform like Wazuh. This improves monitoring, troubleshooting, auditing, and compliance by allowing you to:

  • Receive real-time alerts.
  • Centralize log management.
  • Analyze and respond to security and performance events.

This article explains how to turn on Syslog on Access Server and forward logs to a Wazuh server.

Example IP Addresses

In this example, we use the following IP addresses:

  • Access Server IP: 192.0.2.15
  • Wazuh Server IP: 192.0.2.10

Step 1: Enable Syslog on Access Server

  1. Connect to Access Server console and get root privileges.
  2. Open the Access Server configuration file:
    nano /usr/local/openvpn_as/etc/as.conf
  3. At the bottom of the file, add:
    SYSLOG=1
    Important: Ensure SYSLOG is in all uppercase letters.
  4. Save and exit (Ctrl+X, then Y, then Enter).
  5. Restart the Access Server service:
    service openvpnas restart
  6. Create a new rsyslog configuration file for Access Server:
    nano /etc/rsyslog.d/openvpnas.conf
  7. Add the following line to forward logs to your Wazuh server:
    if $programname == 'openvpnas' then action(type="omfwd" target="192.0.2.10" port="514" protocol="tcp")
    Important: Replace 192.0.2.10 with the IP address or FQDN of your Wazuh server.
  8. Save and exit (Ctrl+X, then Y, then Enter).
  9. Restart the syslog daemon:
    service rsyslog restart

Step 2: Configure Syslog on the Wazuh server

  1. Connect to the Wazuh console and get root privileges.
  2. Edit the Wazuh configuration file:
    nano /var/ossec/etc/ossec.conf
  3. Set the logall and logall_json to options to yes.
  4. In the <remote> section, add or modify the following configuration:
    <remote>
       <connection>syslog</connection>
       <port>514</port>
       <protocol>udp</protocol>
       <allowed-ips>192.0.2.15/32</allowed-ips>
       <local_ip>192.0.2.10</local_ip>
    </remote>
    • <allowed-ips>: The IP address of the Access Server sending logs.
    • <local_ip>: The IP address of the Wazuh server receiving logs.
  5. Save and exit (Ctrl+X, then Y, then Enter).
  6. Restart the Wazuh manager:
    service wazuh-manager restart

Viewing logs on the Wazuh server

After setup, you'll find Access Server logs in one of these locations:

  • /var/ossec/logs/archives/archives.log
  • /var/ossec/logs/archives/archives.json

If you don't want to retain logs in those files, set the following option in ossec.conf:

<logall>no</logall>

 


If you have additional questions, please submit a ticket.

Comments

0 comments

Please sign in to leave a comment.