TEAM: Huntress Managed Security Information and Event Management (SIEM)
ENVIRONMENT: Huntress dashboard, syslog device configuration page
SUMMARY: How to troubleshoot SIEM syslog collection by checking agent config, agent listening on port 514, Defender Firewall has an open incoming UDP port 514, and confirming data is flowing using WireShark.
Confirm Agent Configuration
1. From the Host Details page, confirm that the Agent has the syslog collection field set to Enabled.
Note that after enabling syslog collection, there may be a delay before the portal reflects the change. If you do not see it enabled after 30 minutes, please review the below.
- If this is not enabled, please enable it following the Enable Syslog Collection (Firewall Logs) guide.
Confirm Agent is Listening
We want to confirm that the Huntress Rio Agent is actually listening now that it's enabled. You can do this via netstat in command prompt or in Powershell to have easier-to-read output.
Netstat: You could use netstat to confirm on the endpoint. Use an admin-level command prompt and run netstat -naob . The output shows process information that looks like this:
Powershell: Powershell gives you more filtering options and you can control the output. To do this, elevate to administrator privileges and run:
(netstat -bano | Out-String) -replace '(?m)^ (TCP|UDP)', '$1' -replace '\r?\n\s+([^\[])', "`t`$1" -replace '\r?\n\s+\[', "`t[" | findstr “Rio.exe”
Now we know it’s listening.....
2. Make sure that only the Huntress Agent is listening on port 514. If something else is listening on that port, the Agent won’t be able to bind properly and won’t get any data. You can do this by using this query:
(netstat -bano | Out-String) -replace '(?m)^ (TCP|UDP)', '$1' -replace '\r?\n\s+([^\[])', "`t`$1" -replace '\r?\n\s+\[', "`t[" | findstr “:514”
Confirm Data Flow
After the firewall has been configured, you can verify that the service has started receiving data. To confirm data is being sent from your firewall, open the correct Agent folder (C:\Program Files\Huntress\Rio\tmp) and look for a file with the prefix wbs_.
Additional Troubleshooting
Network Category
If you do not see the file with the wbs_ prefix, it is possible your Ethernet category is set to "Public" which imposes more strict firewall restrictions. To check this, use the following PowerShell cmdlet:
Get-NetConnectionProfile
In this example, we see the NetworkCategory parameter set to Public, which can prevent syslog messages from being received by the Huntress Agent. By setting this to Private or DomainAuthenticated, the appropriate Windows Firewall profile will be used as well.
Note: This must be run using an elevated command prompt
After reviewing Microsoft's documentation for the Network Category parameter, you can use the following cmdlet to set that parameter (use your Interface Alias, as well as the appropriate profile for your network):
Get-NetConnectionProfile -InterfaceAlias "YOUR_ALIAS_HERE" | Set-NetConnectionProfile -NetworkCategory {One of: Private, DomainAuthenticated}
Wireshark
If you think syslog is arriving at the Huntress Agent, but you don’t see this file being created, you can use Wireshark to confirm that the data is flowing to your machine. To do that, install Wireshark and select the appropriate interface, begin capturing data, and then apply this filter:
_ws.col.protocol == "Syslog"
The logs in Wireshark will only display syslog messages, so you can verify the port and protocol being used (514 and UDP). If you're unable to see any data flowing in you'll need to double check that your hardware firewall is pointing to the correct internal IP, that the hardware firewall isn't blocking port 514 outbound to local network, and that syslog sending is set to active.