Zyxel Switch with Wazuh SIEM

Teooo43
Teooo43 Posts: 2
First Comment
in Switch
Hi guys, I need to make wazuh able to integrate with Zyxel switches. Is there already any guide/discussion about this?

All Replies

  • monkeynia
    monkeynia Posts: 30  Freshman Member
    First Comment Friend Collector Third Anniversary
    Hi @Teooo43,

    Do you mean the Wazuh SIEM setup guide or its user guide?
    I think you can find it on its forum or you can find these information on google.
  • Teooo43
    Teooo43 Posts: 2
    First Comment
    There's nothing in the setup guide or google... The community told me that I have to create decorders and rules for the Zyxel's log using regex but I don't know the structure of the logs
  • monkeynia
    monkeynia Posts: 30  Freshman Member
    First Comment Friend Collector Third Anniversary
    Teooo43 said:
    There's nothing in the setup guide or google... The community told me that I have to create decorders and rules for the Zyxel's log using regex but I don't know the structure of the logs
    I found this installation guide, have you try this before?
     https://documentation.wazuh.com/current/installation-guide/index.html
  • Zyxel_Melen
    Zyxel_Melen Posts: 2,756  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Hi @Teooo43,

    Could you share what model are you using?
    Also, could you share some screenshots of what setting you are stuck on?
    Zyxel Melen


  • zyman2008
    zyman2008 Posts: 224  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Hi @Teooo43,
    First, you need to make sure the switch model you get support send syslog to your Wazuh SIEM server.

    Then, you can go to GUI of the switch to check log message that your want to monitor.
    Copy log message from switch GUI and paste it to the wazuh-logtest to go through the default decoder. 
    https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

    Then, Add/Edit your custom ruleset and decoder on Wazuh server if needs.
    https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

    After you finish the decoder/rulesets, 
    Configure the log category and log facility on the switch to send that would like to send to SIEM server.
    Usually, system & AAA category could be the basic set you need.
    To monitor system hardware events, configuration change activities, admin login activities.
    Here a forum post that you can reference, 
    https://community.zyxel.com/en/discussion/787/gs2210-24-syslog-server

    Most of people thinks, open source is cost free. 
    But I would say, it's most expensive that you need to DIY.

    I don't think Zyxel has strong community members with good programing skill and can contribute templates of popular open source packages, compare to community of Mikrotik/Ubiquiti.
    So you might need to study the Wazuh guide to add the custom decoder/ruleset.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,756  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited January 2023
    Hi @zyman2008,

    Thanks for sharing great information with us!

    Hi @Teooo43,

    Looks like zyman2008 provide the solution for you, is there any other problem?
    If yes, free feel to ask here.
    Zyxel Melen


Categories

Switch Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)