This repository provides Wazuh decoders for Mikrotik and a script for monitoring Wireguard peers' login/logout activities.
Tested on:
- RouterOS 7.15.1
- Wazuh 4.8.0
Follow the guide at Wazuh Blog to configure your Wazuh manager to receive Syslog messages.
-
Copy
1001-mikrotik_decoders.xmlto the Wazuh decoders directory:cp /path/to/1001-mikrotik_decoders.xml /var/ossec/etc/decoders/1001-mikrotik_decoders.xml
or if you are using Docker, run:
docker cp /path/to/1001-mikrotik_decoders.xml single-node-wazuh.manager-1:/var/ossec/etc/decoders/1001-mikrotik_decoders.xml
-
Copy
local_rules.xmlto the Wazuh rules directory:cp /path/to/local_rules.xml /var/ossec/etc/rules/local_rules.xml
or if you are using Docker, run:
docker cp /path/to/local_rules.xml single-node-wazuh.manager-1:/var/ossec/etc/rules/local_rules.xml
- Restart the Wazuh manager to apply the new configurations:
or if you are using Docker, run:
systemctl restart wazuh-manager
docker restart single-node-wazuh.manager-1
-
Configure the remote logging server:
/system logging action add name=remote target=remote remote=YOUR_WAZUH_SERVER_IP
-
Add a logging rule to send all logs to the remote server:
/system logging add action=remote topics=system /system logging add action=remote topics=info
Make sure to replace YOUR_WAZUH_SERVER_IP with the IP address of your Wazuh server.
-
Copy the script
script.rscfrom the repository to your Mikrotik device. -
Import and execute the script from the Mikrotik terminal:
/import script.rsc
ℹ️ Note: It is crucial to assign a unique comment to each Wireguard peer configured on your Mikrotik server. This comment acts as an identifier in the monitoring script and ensures accurate tracking of each peer's activity.
👤 Giuseppe Trifilio
- Website: https://github.com/angolo40/WazuhMikrotik
- GitHub: @angolo40
Contributions, issues, and feature requests are welcome! Feel free to check the issues page.
Give a ⭐️ if this project helped you!
- XMR:
87LLkcvwm7JUZAVjusKsnwNRPfhegxe73X7X3mWXDPMnTBCb6JDFnspbN8qdKZA6StHXqnJxMp3VgRK7DcS2sgnW3wH7Xhw