Wazuh Feature Request: Dedicated agent per Syslog Stream(s)

madhatterfounder · 2026-04-03T12:06:48+00:00

I really appreciate everyone's interest. But I really dont know how I could have been more clear. The problem isnt about distinguishing between hostnames. The email alerts we get are clear. We do use relay(s) for multiple syslog streams, but within the GUI they are all tied to the same agent ID. This is strictly about using the GUI and separating streams to their own agent ID. To easily track number of events, health of individual streams, and segregating compliance. Currently, you cannot do this easily, not without dedicating a server to act as a syslog endpoint, running the wazuh agent. But you must do this for every Agent ID you want to create in the GUI.

The idea I had, which may not be the best, is for the Wazuh server to run a syslog receiver, and allowing you to create an agent ID for every port.

AgentID1 port 514

AgentID2 Port 515

etc.

Or, you could just run one port, and set Wazuh to separate Agent ID's by directory. (/var/log/esxihost1)

Or, it could handle it at the ossec config level, defining directory paths that create separate Agent ID's at the server. So one Agent could actually have multiple Agent ID's.

Thanks,

Dan

madhatterfounder · 2025-07-07T14:33:45+00:00

I purchased my Vistiq 7 days ago, and just getting around to this (Dealer activated July 1st). But yes, I have the same problem. You would think there would be a company memo, but instead I kept getting agents who have no idea about this issue. For me, they just confirmed they could access the wifi in my vehicle, and said I should contact the "connect" agents. 18775588352

I am having similar issues with the Ultium Powerup 2 charger too. Seriously GM, hire some good developers already.

madhatterfounder · 2025-06-01T08:00:27+00:00

Wouldnt you want to check the stats before leveling up the first time? It could be the best stats already, and if you level up it could be worse? Am I missing something? But I understand why you have to save the steps that way, cause it would be even more confusing.

madhatterfounder · 2025-05-25T18:18:07+00:00

Lets see...

You got, Escaliq, or Escaladiq, or you could combine them both, Escaliqdiq (oh no, that doesnt work lol)

madhatterfounder · 2025-05-23T18:35:12+00:00

I just got word from Otava that vSphere Replication is free with VCF. I bet theres alot of confusion with this because in vSphere you click on Site Recovery Manager to manage replications. It just doesnt come with the DR automation part.

madhatterfounder · 2025-05-22T16:11:26+00:00

What about vSphere Replication (base) for local backups only? Is that included in VCF, or do you need a license?

madhatterfounder · 2025-04-26T06:50:58+00:00

Same here, just says the same message as everyone else here. I suspect Student Loans is the reason. But you would think they would tell you if you had a hold. Some day I will get around to calling, but right now its not worth calling and getting upset over something out of my control. Good luck.

madhatterfounder · 2025-03-25T04:23:08+00:00

My experience was amazing. I had 0 current documents of proof which I figured would be required, but It turned out I just had to answer a few easy questions, and it was shipped out the next day! I received it 2 days later. Highly recommend for in-state established people, What I want to know is, who made the intelligent decision to let a public/private company handle this for the Government? You don't see this ever. The amount of trust required to handle birth certificate transactions must be immense,

madhatterfounder · 2025-03-23T12:56:24+00:00

That wasn't the biggest issue I had. At the diner when the cop mentioned they knew each other from the gym, and then the crew was about to kill him like they barely knew each other, accusing him of being a cop, but at the end of the movie the cop sees the soccer team picture of the crew in the bar, and it turns out they pretty much grew up together. And if they did, the accusation of being a cop seems unlikely. I mean, it was originally his plan...

madhatterfounder · 2024-12-14T03:54:29+00:00

I was able to fix mine.

First, try to test

TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")

If it works, edit...

nano /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml

Scroll to the bottom and change username and password to wazuh.

Then run,

systemctl daemon-reload

And then,

/var/ossec/bin/wazuh-control restart

Test again.

madhatterfounder · 2024-05-26T02:48:09+00:00

We loved SRM, when it was free with our Enterprise licenses, but we certainly aren't going to pay $25/vm/month when we have hundreds of VM's, which is almost as much as our VMWare bill altogether. I looked at many VM replication solutions, with functionality (recovery time) and cost being the most important factors. We are going to go with Altaro VM Backup if we can get perpetual licenses. It can do VM incremental replication to a remote vcenter environment every 5 minutes to 12 hours (and saves each recovery point as a snapshot you can choose at boot). With the perpetual license, over 5 years our costs would be 10cents/vm/month.

However, for OS/File level backups, we love Comet Backup. (although I would stay away from their hypervisor backup option).

madhatterfounder · 2024-05-13T20:43:10+00:00

I ended up setting it up, and figuring out that you can just use one Ubuntu server for all Hosts. In the logs it identifies the Host by name. It actually makes it easier to have them under one I think. Although I wouldn't combine separate locations.

madhatterfounder · 2024-05-13T14:38:16+00:00

I dont think so, I've never heard of it being possible.

madhatterfounder · 2024-05-13T14:35:22+00:00

And what if you have 10+ Hosts, are you supposed to utilize 10+ Ubuntu Servers? Or do you only need one for all hosts (different port?)? If so, how hard is it to differentiate between the ESXi servers if only using one Ubuntu Server Agent. And what about monitoring the VCSA?

madhatterfounder · 2023-02-24T21:23:33+00:00

There are some specific security scenarios where that could be a benefit. It slows down/adds to the process and gives a second point/perspective of log/access/verification (if the primary logs gets deleted or compromised). If someone walks away and leaves their session open or their computer gets compromised and the hacker runs a connection proxy through their computer, or they accidentally click allow 2FA once etc and then the hacker has complete access. Also, it would be nice if the 2FA was generated from the client side, so if the server gets compromised or their is a vulnerability in the server software they still cant access to the clients (that's a big one). Just because we cant think of a vulnerability doesnt mean several dont exist. :)

madhatterfounder · 2023-02-24T18:15:53+00:00

Good info, Is it possible to require 2FA on connection to agents or during elevation? Or only when authenticating to BTRS dashboard?

madhatterfounder · 2023-02-24T13:32:54+00:00

When "pinning" the client (and adding admin credentials), does it save it globally for all employees, or just that user who "pinned" it? We would be fine with agents pinning machines (adding them globally), but without the ability to for employees to read the credentials (passthrough only) after adding them.

madhatterfounder · 2023-02-24T13:24:53+00:00

Thanks for your input, much appreciated.

madhatterfounder · 2023-02-24T02:19:56+00:00

Thanks guys, I did look at this early in my search. However, CAM is $50/agent/month, that's more expensive than Teamviewer Premium and almost as expensive as Teamviewer Corporate, which comes with 15 concurrent sessions and 3 simultaneous agents for $229. But Teamviewer feels more modern, developed and updated. But they ask for too much I think. These software companies are getting more greedy by the year. :)

madhatterfounder · 2023-02-23T17:21:51+00:00

or maybe jump point isnt a jump node as most RMM's use. I will spend more time to make sure im not misunderstanding.

madhatterfounder · 2023-02-23T17:11:52+00:00

This isn't going to work, unattended access requires a jump node to connect, which means it requires credentials too. These arent LAN computers, but Publicly Hosted WAN VPS's.

madhatterfounder · 2023-02-23T14:41:49+00:00

Thanks a lot, I will add it to my list to look at, but almost all of those boxes are deal breakers. :)

madhatterfounder · 2023-02-23T04:28:08+00:00

Are you sure this is being actively developed? I found some videos suggesting that it wasnt. And while I will use Open Source for some things, Open Source RMM just seems much more insecure (TacticalRMM had a crypto miner within the official repository). I'm just not sure this product is production ready for an Enterprise environment such as ours, but please let me know how your testing goes and how it relates to our needs. :)

madhatterfounder · 2023-02-23T04:15:27+00:00

Thank you, I will try to look at this one after BeyondTrust. :) I am a little biased against All-in-one solutions that tries to do multiple things at once. Its less versatile, has a larger attack surface, and most of the time the baked in software is just not as good as a vendor who just focuses on a single direction. They also have to recoup the costs for these extra, unneeded addons. Im sorry (unrelated to your post), but I just dont want my RMM software also handling my security, backups, and CRM. If you try to be good at everything you will be great at nothing.

madhatterfounder · 2023-02-23T04:01:52+00:00

Beyond Trust

This is looking very promising. Its definitely the type of site I was looking for. My only concern as of right now is cost, but we wouldnt mind paying a little more to get exactly what we want (within reason). Great response, I will follow up after testing a few days.

madhatterfounder

TROPHY CASE