Monitoring Network Devices with Wazuh#

Introduction#

Network devices are the backbone of modern IT infrastructure, facilitating data transfer between nodes and ensuring connectivity across organizations. However, these critical components - including routers, switches, firewalls, and access points - often become prime targets for cyber attacks. Without proper monitoring, they can serve as entry points for unauthorized access, data breaches, or network disruptions.

Wazuh provides comprehensive network device monitoring capabilities:

🌐 Multi-vendor Support: Monitor devices from Cisco, Juniper, Checkpoint, pfSense, and more
📊 Real-time Analysis: Process syslog events as they occur
🔍 Custom Detection: Create tailored rules for specific device behaviors
🚨 Security Alerts: Detect unauthorized access and configuration changes
📈 Compliance Support: Meet regulatory requirements for network monitoring

Supported Network Devices#

Wazuh provides out-of-the-box support for numerous network devices:

Firewalls & Security Devices#

Cisco PIX, ASA, and FWSM (all versions)
Checkpoint firewall (all versions)
SonicWall firewall (all versions)
pfSense
Huawei USG

Routers & Switches#

Cisco IOS routers (all versions)
Juniper Netscreen (all versions)
Junos devices
MikroTik RouterOS

IDS/IPS Systems#

Cisco IOS IDS/IPS module (all versions)
Sourcefire (Snort) IDS/IPS (all versions)
Dragon NIDS (all versions)
Checkpoint Smart Defense (all versions)

Other Devices#

Bluecoat proxy (all versions)
Cisco VPN concentrators (all versions)
VMWare ESXi 4.x

Architecture Overview#

1
flowchart TB
2
    subgraph "Network Devices"
3
        R1[MikroTik Router]
4
        S1[Cisco Switch]
5
        F1[pfSense Firewall]
6
        A1[Access Point]
7
    end
8

9
    subgraph "Log Collection"
10
        RS[Rsyslog Server<br/>Ubuntu 22.04]
11
        LF[Log File<br/>/var/log/mikrotik.log]
12
    end
13

14
    subgraph "Wazuh Infrastructure"
15
        WA[Wazuh Agent]
16
        WS[Wazuh Server]
17
        WD[Wazuh Dashboard]
18
    end
19

20
    R1 -->|Syslog UDP:514| RS
21
    S1 -->|Syslog UDP:514| RS
22
    F1 -->|Syslog UDP:514| RS
23
    A1 -->|Syslog UDP:514| RS
24

25
    RS --> LF
26
    LF --> WA
27
    WA --> WS
28
    WS --> WD
29

30
    style R1 fill:#4dabf7
31
    style RS fill:#51cf66
32
    style WS fill:#ffd43b

Infrastructure Requirements#

For this demonstration:

Wazuh Server: Pre-built OVA 4.7.2 with all components
Ubuntu Endpoint: Ubuntu 22.04 with Wazuh agent 4.7.2 (syslog collector)
Network Device: MikroTik router with RouterOS 7.13
Network: Connectivity between all components

Implementation Guide: MikroTik Router Monitoring#

Phase 1: Configure Ubuntu Syslog Receiver#

Enable Rsyslog#

Edit /etc/rsyslog.conf:

1
# Enable UDP syslog reception
2
$ModLoad imudp
3
$UDPServerRun 514
4

5
# Store MikroTik messages in dedicated file
6
if $fromhost-ip startswith '<YOUR_MIKROTIK_IP_ADDRESS>' then /var/log/mikrotik.log
7
& ~

Replace <YOUR_MIKROTIK_IP_ADDRESS> with your MikroTik device IP.

Prepare Log File#

1
# Create log file
2
touch /var/log/mikrotik.log
3

4
# Set proper permissions
5
chown syslog:adm /var/log/mikrotik.log
6

7
# Restart rsyslog
8
systemctl restart rsyslog

Configure Wazuh Agent#

Add to /var/ossec/etc/ossec.conf:

1
<ossec_config>
2
  <localfile>
3
    <log_format>syslog</log_format>
4
    <location>/var/log/mikrotik.log</location>
5
    <out_format>RouterOS7.1-logs: $(log)</out_format>
6
  </localfile>
7
</ossec_config>

Restart the agent:

1
systemctl restart wazuh-agent

Phase 2: Configure MikroTik Router#

Using WinBox or WebUI#

Log into your router using WinBox utility or WebUI
Configure logging topics:
- Navigate to: System → Logging → Rules
- Create rules for topics: system, error, info, warning
- Set Action: remote
Configure remote action:
- Navigate to: System → Logging → Actions
- Edit remote action:
  - Remote Address: <WAZUH_AGENT_IP>
  - Remote Port: 514
  - BSD Syslog: Enabled
  - Syslog Facility: daemon
  - Syslog Severity: emergency
Set router identity:
- Navigate to: System → Identity
- Set Identity: MikroTik

Phase 3: Create Custom Decoders#

Create /var/ossec/etc/decoders/mikrotik_decoders.xml:

1
<decoder name="mikrotik">
2
  <prematch>^RouterOS7.1-logs: </prematch>
3
</decoder>
4

5
<decoder name="mikrotik1">
6
  <parent>mikrotik</parent>
7
  <regex type="pcre2">\S+ (\w+ \d+ \d+:\d+:\d+) MikroTik user (\S+) (.*?) from (\d+.\d+.\d+.\d+) via (\w+)</regex>
8
  <order>logtimestamp, logged_user, action, ip_address, protocol</order>
9
</decoder>
10

11
<decoder name="mikrotik1">
12
  <parent>mikrotik</parent>
13
  <regex type="pcre2">\S+ (\w+ \d+ \d+:\d+:\d+) MikroTik dhcp-client on (\S+) (.*?) address (\d+.\d+.\d+.\d+)</regex>
14
  <order>logtimestamp, interface, action, ip_address</order>
15
</decoder>
16

17
<decoder name="mikrotik1">
18
  <parent>mikrotik</parent>
19
  <regex type="pcre2">\S+ (\w+ \d+ \d+:\d+:\d+) MikroTik router (\S+)</regex>
20
  <order>logtimestamp, action</order>
21
</decoder>

Phase 4: Create Detection Rules#

Create /var/ossec/etc/rules/mikrotik_rules.xml:

1
<group name="Mikrotik,">
2
  <rule id="110000" level="0">
3
    <decoded_as>mikrotik</decoded_as>
4
    <description>Mikrotik-Event</description>
5
  </rule>
6

7
  <rule id="110001" level="5">
8
    <if_sid>110000</if_sid>
9
    <match>dhcp-client on ether</match>
10
    <description>MikroTik dhcp-client received an IP address $(ip_address)</description>
11
  </rule>
12

13
  <rule id="110002" level="5">
14
    <if_sid>110000</if_sid>
15
    <match>rebooted</match>
16
    <description>MikroTik router rebooted</description>
17
  </rule>
18

19
  <rule id="110003" level="5">
20
    <if_sid>110000</if_sid>
21
    <match>logged out from</match>
22
    <description>MikroTik user logged out via $(protocol)</description>
23
  </rule>
24

25
  <rule id="110004" level="5">
26
    <if_sid>110000</if_sid>
27
    <match>logged in from</match>
28
    <description>MikroTik user logged in from $(ip_address) via $(protocol)</description>
29
  </rule>
30
</group>

Restart Wazuh manager:

1
systemctl restart wazuh-manager

Testing the Configuration#

Generate Test Events#

1
# SSH into MikroTik and reboot
2
ssh <MIKROTIK_USER>@<MIKROTIK_IP_ADDRESS>
3
> /system/reboot

Expected Alerts#

1
flowchart LR
2
    subgraph "MikroTik Events"
3
        E1[User Login]
4
        E2[DHCP Assignment]
5
        E3[Router Reboot]
6
        E4[User Logout]
7
    end
8

9
    subgraph "Wazuh Rules"
10
        R1[Rule 110004]
11
        R2[Rule 110001]
12
        R3[Rule 110002]
13
        R4[Rule 110003]
14
    end
15

16
    subgraph "Dashboard Alerts"
17
        A1[Login Alert]
18
        A2[DHCP Alert]
19
        A3[Reboot Alert]
20
        A4[Logout Alert]
21
    end
22

23
    E1 --> R1 --> A1
24
    E2 --> R2 --> A2
25
    E3 --> R3 --> A3
26
    E4 --> R4 --> A4
27

28
    style E3 fill:#ff6b6b
29
    style A3 fill:#ff6b6b

Advanced Configuration#

Comprehensive MikroTik Rules#

1
<group name="Mikrotik,">
2
  <!-- Base rule -->
3
  <rule id="110000" level="0">
4
    <decoded_as>mikrotik</decoded_as>
5
    <description>Mikrotik-Event</description>
6
  </rule>
7

8
  <!-- Authentication -->
9
  <rule id="110004" level="5">
10
    <if_sid>110000</if_sid>
11
    <match>logged in from</match>
12
    <description>MikroTik user $(logged_user) logged in from $(ip_address) via $(protocol)</description>
13
  </rule>
14

15
  <rule id="110005" level="7" frequency="3" timeframe="60">
16
    <if_sid>110004</if_sid>
17
    <description>Multiple MikroTik login attempts from $(ip_address)</description>
18
  </rule>
19

20
  <rule id="110006" level="8">
21
    <if_sid>110004</if_sid>
22
    <time>10:00 pm - 6:00 am</time>
23
    <description>MikroTik login outside business hours from $(ip_address)</description>
24
  </rule>
25

26
  <!-- Configuration Changes -->
27
  <rule id="110007" level="7">
28
    <if_sid>110000</if_sid>
29
    <match>configuration changed</match>
30
    <description>MikroTik configuration modified by $(logged_user)</description>
31
  </rule>
32

33
  <!-- Interface Status -->
34
  <rule id="110008" level="6">
35
    <if_sid>110000</if_sid>
36
    <match>interface.*down</match>
37
    <description>MikroTik interface down: $(interface)</description>
38
  </rule>
39

40
  <rule id="110009" level="5">
41
    <if_sid>110000</if_sid>
42
    <match>interface.*up</match>
43
    <description>MikroTik interface up: $(interface)</description>
44
  </rule>
45

46
  <!-- Security Events -->
47
  <rule id="110010" level="9">
48
    <if_sid>110000</if_sid>
49
    <match>firewall.*drop</match>
50
    <description>MikroTik firewall dropped packet from $(src_ip)</description>
51
  </rule>
52

53
  <rule id="110011" level="10" frequency="50" timeframe="60">
54
    <if_sid>110010</if_sid>
55
    <description>MikroTik DDoS attack detected - high drop rate</description>
56
  </rule>
57

58
  <!-- VPN Events -->
59
  <rule id="110012" level="5">
60
    <if_sid>110000</if_sid>
61
    <match>ipsec.*established</match>
62
    <description>MikroTik IPSec VPN established with $(peer_ip)</description>
63
  </rule>
64

65
  <rule id="110013" level="7">
66
    <if_sid>110000</if_sid>
67
    <match>ipsec.*failed</match>
68
    <description>MikroTik IPSec VPN failed with $(peer_ip)</description>
69
  </rule>
70
</group>

Enhanced Decoders for Multiple Event Types#

1
<!-- Enhanced MikroTik decoders -->
2
<decoder name="mikrotik-firewall">
3
  <parent>mikrotik</parent>
4
  <regex type="pcre2">firewall,info.* input: in:(\S+) out:(\S+), src-mac (\S+), proto (\S+), (\d+.\d+.\d+.\d+):(\d+)->(\d+.\d+.\d+.\d+):(\d+)</regex>
5
  <order>in_interface, out_interface, src_mac, protocol, src_ip, src_port, dst_ip, dst_port</order>
6
</decoder>
7

8
<decoder name="mikrotik-system">
9
  <parent>mikrotik</parent>
10
  <regex type="pcre2">system,info.* (.*?) by (\S+)</regex>
11
  <order>system_action, username</order>
12
</decoder>
13

14
<decoder name="mikrotik-wireless">
15
  <parent>mikrotik</parent>
16
  <regex type="pcre2">wireless,info.* (\S+): (.*?) (\S+), signal strength (\S+)</regex>
17
  <order>interface, action, mac_address, signal_strength</order>
18
</decoder>

Monitoring Other Network Devices#

Cisco Router Configuration#

1
<!-- Cisco IOS decoders -->
2
<decoder name="cisco-ios">
3
  <prematch>%\w+-\d-\w+: </prematch>
4
</decoder>
5

6
<decoder name="cisco-ios-login">
7
  <parent>cisco-ios</parent>
8
  <regex type="pcre2">%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success \[user: (\S+)\] \[Source: (\d+.\d+.\d+.\d+)\]</regex>
9
  <order>user, src_ip</order>
10
</decoder>
11

12
<!-- Cisco IOS rules -->
13
<rule id="111000" level="5">
14
  <decoded_as>cisco-ios-login</decoded_as>
15
  <description>Cisco IOS: Successful login by $(user) from $(src_ip)</description>
16
</rule>
17

18
<rule id="111001" level="8">
19
  <if_sid>111000</if_sid>
20
  <match>admin|root</match>
21
  <description>Cisco IOS: Administrative login by $(user) from $(src_ip)</description>
22
</rule>

pfSense Firewall Configuration#

1
<!-- pfSense decoders -->
2
<decoder name="pfsense">
3
  <prematch>filterlog:</prematch>
4
</decoder>
5

6
<decoder name="pfsense-filterlog">
7
  <parent>pfsense</parent>
8
  <regex type="pcre2">(\d+),,,(\w+),(\w+),(\w+),(\w+),(\w+),(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+)</regex>
9
  <order>rule_number, interface, reason, action, direction, protocol, src_ip, dst_ip</order>
10
</decoder>
11

12
<!-- pfSense rules -->
13
<rule id="112000" level="5">
14
  <decoded_as>pfsense-filterlog</decoded_as>
15
  <field name="action">block</field>
16
  <description>pfSense: Blocked connection from $(src_ip) to $(dst_ip)</description>
17
</rule>
18

19
<rule id="112001" level="9" frequency="100" timeframe="60">
20
  <if_sid>112000</if_sid>
21
  <description>pfSense: Possible port scan from $(src_ip)</description>
22
</rule>

Best Practices#

1. Centralized Syslog Architecture#

1
Syslog Architecture:
2
  Collection Points:
3
    - Primary: Main datacenter syslog server
4
    - Secondary: Backup syslog server
5
    - Regional: Local syslog collectors
6

7
  Redundancy:
8
    - Multiple syslog targets per device
9
    - Failover configuration
10
    - Buffer during network outages
11

12
  Security:
13
    - TLS encryption for syslog (where supported)
14
    - Dedicated management VLAN
15
    - Access control lists

2. Log Retention and Rotation#

1
/var/log/mikrotik.log
2
/var/log/cisco.log
3
/var/log/pfsense.log
4
{
5
    daily
6
    rotate 90
7
    compress
8
    delaycompress
9
    missingok
10
    notifempty
11
    create 640 syslog adm
12
    postrotate
13
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2>/dev/null` 2>/dev/null || true
14
    endscript
15
}

3. Performance Optimization#

1
# Rsyslog configuration for high-volume environments
2
# Set high precision timestamps
3
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
4

5
# Buffer configuration
6
$ActionQueueType LinkedList
7
$ActionQueueFileName networkq
8
$ActionResumeRetryCount -1
9
$ActionQueueSaveOnShutdown on
10

11
# Rate limiting
12
$SystemLogRateLimitInterval 1
13
$SystemLogRateLimitBurst 5000
14

15
# Separate queues per device type
16
if $fromhost-ip startswith '10.0.1.' then {
17
    action(type="omfile" file="/var/log/routers.log" queue.type="linkedlist")
18
}
19

20
if $fromhost-ip startswith '10.0.2.' then {
21
    action(type="omfile" file="/var/log/switches.log" queue.type="linkedlist")
22
}

Monitoring Dashboard#

Custom Visualization#

1
{
2
  "visualization": {
3
    "title": "Network Device Activity",
4
    "visState": {
5
      "type": "line",
6
      "params": {
7
        "grid": {
8
          "categoryLines": false,
9
          "style": {
10
            "color": "#eee"
11
          }
12
        },
13
        "categoryAxes": [{
14
          "id": "CategoryAxis-1",
15
          "type": "category",
16
          "position": "bottom",
17
          "show": true,
18
          "style": {},
19
          "scale": {
20
            "type": "linear"
21
          },
22
          "labels": {
23
            "show": true,
24
            "truncate": 100
25
          },
26
          "title": {}
27
        }],
28
        "valueAxes": [{
29
          "id": "ValueAxis-1",
30
          "name": "LeftAxis-1",
31
          "type": "value",
32
          "position": "left",
33
          "show": true,
34
          "style": {},
35
          "scale": {
36
            "type": "linear",
37
            "mode": "normal"
38
          },
39
          "labels": {
40
            "show": true,
41
            "rotate": 0,
42
            "filter": false,
43
            "truncate": 100
44
          },
45
          "title": {
46
            "text": "Event Count"
47
          }
48
        }],
49
        "seriesParams": [{
50
          "show": true,
51
          "type": "line",
52
          "mode": "normal",
53
          "data": {
54
            "label": "Network Events",
55
            "id": "1"
56
          },
57
          "valueAxis": "ValueAxis-1",
58
          "drawLinesBetweenPoints": true,
59
          "showCircles": true
60
        }]
61
      }
62
    }
63
  }
64
}

Key Metrics to Monitor#

1
flowchart TB
2
    subgraph "Authentication Metrics"
3
        M1[Login Attempts]
4
        M2[Failed Logins]
5
        M3[Privilege Escalations]
6
    end
7

8
    subgraph "Configuration Metrics"
9
        M4[Config Changes]
10
        M5[Backup Status]
11
        M6[Firmware Updates]
12
    end
13

14
    subgraph "Performance Metrics"
15
        M7[Interface Status]
16
        M8[Bandwidth Usage]
17
        M9[Error Rates]
18
    end
19

20
    subgraph "Security Metrics"
21
        M10[Firewall Blocks]
22
        M11[IDS Alerts]
23
        M12[VPN Status]
24
    end
25

26
    style M2 fill:#ff6b6b
27
    style M4 fill:#ffd43b
28
    style M10 fill:#ff6b6b

Troubleshooting#

Common Issues and Solutions#

Issue 1: No Logs Received#

1
# Check if rsyslog is receiving data
2
tcpdump -i any -n port 514
3

4
# Verify rsyslog is listening
5
netstat -ulnp | grep 514
6

7
# Check rsyslog errors
8
tail -f /var/log/syslog | grep rsyslog

Issue 2: Decoder Not Matching#

1
# Test decoder with sample log
2
echo 'RouterOS7.1-logs: Jan 19 10:15:30 MikroTik user admin logged in from 192.168.1.100 via winbox' | \
3
  /var/ossec/bin/wazuh-logtest -v
4

5
# Debug regex patterns
6
/var/ossec/bin/wazuh-regex 'your_pattern' < sample.log

Issue 3: Time Synchronization#

1
# Ensure NTP is configured on all devices
2
# On MikroTik:
3
/system ntp client set enabled=yes servers=pool.ntp.org
4

5
# On Ubuntu:
6
timedatectl status
7
systemctl status ntp

Security Considerations#

1. Secure Syslog Transport#

1
# Configure TLS for rsyslog (where supported)
2
# Certificate settings
3
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca.pem
4
$DefaultNetstreamDriverCertFile /etc/ssl/certs/syslog-cert.pem
5
$DefaultNetstreamDriverKeyFile /etc/ssl/private/syslog-key.pem
6

7
# Enable TLS
8
$ActionSendStreamDriver gtls
9
$ActionSendStreamDriverMode 1
10
$ActionSendStreamDriverAuthMode x509/name

2. Access Control#

1
# Limit syslog sources with iptables
2
iptables -A INPUT -p udp --dport 514 -s 10.0.0.0/8 -j ACCEPT
3
iptables -A INPUT -p udp --dport 514 -j DROP
4

5
# Configure device ACLs
6
# MikroTik example:
7
/ip firewall filter add chain=output dst-address=<SYSLOG_SERVER> \
8
  dst-port=514 protocol=udp action=accept

3. Log Integrity#

1
#!/usr/bin/env python3
2
import hashlib
3
import json
4
from datetime import datetime
5

6
def calculate_hash(log_entry):
7
    """Calculate hash of log entry for integrity verification"""
8
    return hashlib.sha256(log_entry.encode()).hexdigest()
9

10
def verify_logs(log_file):
11
    """Verify log integrity"""
12
    with open(log_file, 'r') as f:
13
        for line in f:
14
            try:
15
                # Calculate and store hash
16
                hash_value = calculate_hash(line.strip())
17
                # Store in integrity database
18
                store_integrity_record(line, hash_value)
19
            except Exception as e:
20
                print(f"Integrity check failed: {e}")
21

22
def store_integrity_record(log_entry, hash_value):
23
    """Store integrity record"""
24
    record = {
25
        "timestamp": datetime.now().isoformat(),
26
        "log_hash": hash_value,
27
        "log_sample": log_entry[:50]  # Store sample only
28
    }
29
    # Store in integrity database
30
    with open("/var/log/integrity.json", "a") as f:
31
        json.dump(record, f)
32
        f.write("\n")

Use Cases#

1. Configuration Change Tracking#

1
<rule id="110020" level="8">
2
  <if_sid>110000</if_sid>
3
  <match>configuration changed|config modified|settings updated</match>
4
  <description>Network device configuration changed on $(hostname)</description>
5
  <options>alert_by_email</options>
6
</rule>

2. Network Attack Detection#

1
<rule id="110021" level="10" frequency="100" timeframe="60">
2
  <if_sid>110010</if_sid>
3
  <same_source_ip />
4
  <description>Network scan detected from $(src_ip) - high connection rate</description>
5
</rule>
6

7
<rule id="110022" level="12" frequency="1000" timeframe="60">
8
  <if_sid>110010</if_sid>
9
  <description>DDoS attack detected - excessive connection attempts</description>
10
  <options>alert_by_email</options>
11
</rule>

3. Compliance Monitoring#

1
#!/bin/bash
2
# Generate compliance report for network devices
3

4
echo "=== Network Device Compliance Report ==="
5
echo "Generated: $(date)"
6
echo ""
7

8
# Check configuration backups
9
echo "Configuration Backup Status:"
10
for device in $(cat /etc/network-devices.list); do
11
    last_backup=$(grep "backup completed" /var/log/mikrotik.log | \
12
                  grep $device | tail -1 | cut -d' ' -f1-3)
13
    echo "$device: Last backup $last_backup"
14
done
15

16
# Check failed login attempts
17
echo -e "\nFailed Login Attempts (Last 24h):"
18
grep -E "login failed|authentication failure" /var/log/mikrotik.log | \
19
    grep -v "Last 24h" | wc -l
20

21
# Check configuration changes
22
echo -e "\nConfiguration Changes (Last 7 days):"
23
grep "configuration changed" /var/log/mikrotik.log | \
24
    awk -v d="$(date -d '7 days ago' '+%b %d')" '$0 >= d'

Integration Examples#

1. SNMP Integration#

1
#!/usr/bin/env python3
2
from pysnmp.hlapi import *
3
import json
4

5
def get_device_info(ip_address):
6
    """Get device information via SNMP"""
7
    device_info = {}
8

9
    # System description
10
    errorIndication, errorStatus, errorIndex, varBinds = next(
11
        getCmd(SnmpEngine(),
12
               CommunityData('public', mpModel=0),
13
               UdpTransportTarget((ip_address, 161)),
14
               ContextData(),
15
               ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0)))
16
    )
17

18
    if not errorIndication:
19
        device_info['description'] = str(varBinds[0][1])
20

21
    # System uptime
22
    errorIndication, errorStatus, errorIndex, varBinds = next(
23
        getCmd(SnmpEngine(),
24
               CommunityData('public', mpModel=0),
25
               UdpTransportTarget((ip_address, 161)),
26
               ContextData(),
27
               ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysUpTime', 0)))
28
    )
29

30
    if not errorIndication:
31
        device_info['uptime'] = str(varBinds[0][1])
32

33
    return device_info
34

35
# Enrich Wazuh alerts with SNMP data
36
def enrich_alert(alert):
37
    if 'src_ip' in alert:
38
        snmp_data = get_device_info(alert['src_ip'])
39
        alert['device_info'] = snmp_data
40
    return alert

2. Automated Response#

1
#!/usr/bin/env python3
2
import subprocess
3
import json
4
from datetime import datetime
5

6
def block_on_mikrotik(attacker_ip, router_ip, username, password):
7
    """Block attacker IP on MikroTik router"""
8

9
    commands = [
10
        f'/ip firewall address-list add list=blocked address={attacker_ip} '
11
        f'comment="Auto-blocked by Wazuh {datetime.now()}"',
12
        f'/ip firewall filter add chain=forward src-address-list=blocked '
13
        f'action=drop comment="Drop traffic from blocked IPs" '
14
        f'place-before=0'
15
    ]
16

17
    for cmd in commands:
18
        ssh_command = f'ssh {username}@{router_ip} "{cmd}"'
19
        subprocess.run(ssh_command, shell=True)
20

21
    print(f"Blocked {attacker_ip} on MikroTik router")
22

23
# Process Wazuh alert
24
def process_alert(alert_file):
25
    with open(alert_file, 'r') as f:
26
        alert = json.load(f)
27

28
    if alert['rule']['id'] == '110022':  # DDoS detection rule
29
        attacker_ip = alert['data']['src_ip']
30
        block_on_mikrotik(attacker_ip, '192.168.1.1', 'admin', 'password')

Performance Metrics#

Monitoring Dashboard Queries#

1
-- Top talkers by device
2
SELECT
3
    agent.name as device,
4
    COUNT(*) as event_count,
5
    rule.groups as event_type
6
FROM
7
    wazuh-alerts-*
8
WHERE
9
    rule.groups CONTAINS 'mikrotik'
10
    AND timestamp > NOW() - INTERVAL '1 hour'
11
GROUP BY
12
    agent.name, rule.groups
13
ORDER BY
14
    event_count DESC
15
LIMIT 10;
16

17
-- Configuration changes timeline
18
SELECT
19
    timestamp,
20
    agent.name as device,
21
    data.logged_user as user,
22
    data.system_action as action
23
FROM
24
    wazuh-alerts-*
25
WHERE
26
    rule.id = '110007'
27
    AND timestamp > NOW() - INTERVAL '7 days'
28
ORDER BY
29
    timestamp DESC;

Conclusion#

Monitoring network devices with Wazuh provides organizations with:

✅ Comprehensive visibility into network infrastructure
🔒 Enhanced security through real-time threat detection
📊 Centralized logging from diverse device types
🚀 Scalable architecture supporting any network size
🛡️ Protection against unauthorized access and attacks

By implementing proper network device monitoring, organizations can detect and respond to security incidents faster while maintaining compliance with regulatory requirements.

Key Takeaways#

Centralize Logging: Use syslog for unified log collection
Custom Rules: Create device-specific detection rules
Regular Updates: Keep decoders and rules current
Secure Transport: Implement TLS where possible
Automate Response: Integrate with device APIs for remediation

Resources#

Secure your network infrastructure with Wazuh. Monitor, detect, protect! 🌐🛡️