Simple Wazuh decoder and rules for Stormshield firewall.
You need to redirect syslog to your Wazuh server
- Copy stormshield_rules.xml in /var/ossec/etc/rules
- Copy stormshield_decoder.xml in /var/ossec/etc/decoders
- Dont forget to chmod/chown ! (chmod 660 and chown wazuh:wazuh)
- Configure your manager to accept theses log using remote
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp,udp</protocol>
<allowed-ips>192.168.1.0/24</allowed-ips>
</remote>
- Restart wazuh-manager
That all.
Enjoy :)