Log forwarding to Wazuh SIEM

Receive Access Gate security events in Wazuh and trigger alerts on authentication, enclave access, and compliance-relevant activity.

Access Gate forwards its audit and alert streams over syslog (RFC 5424). This guide covers the Wazuh-side configuration needed to decode and surface those events.

Prerequisites

Access Gate configured to forward logs over TCP syslog to your Wazuh manager. See Log Forwarding and SIEM Export.
Wazuh manager 4.x, reachable from the Access Gate appliance on port 514/TCP.

Configure the Wazuh Remote Listener

Wazuh must be configured to accept syslog over TCP from the Access Gate IP. Add a <remote> block to /var/ossec/etc/ossec.conf:

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>tcp</protocol>
  <allowed-ips>{AccessGate_IP}/{range}</allowed-ips>
  <local_ip>{Wazuh_IP}</local_ip>
</remote>

Restart the manager after any change to ossec.conf.

Add the Access Gate Decoder

Access Gate events are emitted by the vigil process in RFC 5424 structured data format. Wazuh's built-in decoders do not match this format, so a custom decoder is required.

Create /var/ossec/etc/decoders/access-gate.xml:

<decoder name="access-gate">
  <prematch>access-gate vigil</prematch>
</decoder>

<decoder name="access-gate-fields">
  <parent>access-gate</parent>
  <regex>Log="(\.+)" Mitre="(\.+)" PrincipalIp="(\.+)" Rule="(\.+)"</regex>
  <order>extra_data, status, srcip, id</order>
</decoder>

This extracts four fields from every Access Gate event:

Field	Maps to	Example
`Log`	`extra_data`	`user Alice Salmon logged in using screen CUI Access`
`Mitre`	`status`	`-----`
`PrincipalIp`	`srcip`	`192.168.100.59`
`Rule`	`id`	`Access Screen Login Attempt`

Add the Access Gate Rules

Create /var/ossec/etc/rules/access-gate-rules.xml:

<group name="access-gate,">

  <rule id="100100" level="3">
    <decoded_as>access-gate</decoded_as>
    <description>Access Gate: $(extra_data)</description>
  </rule>

  <rule id="100101" level="5">
    <if_sid>100100</if_sid>
    <match>ALERT</match>
    <description>Access Gate alert: $(extra_data)</description>
  </rule>

  <rule id="100102" level="10">
    <if_sid>100101</if_sid>
    <match>Login Attempt</match>
    <description>Access Gate: login attempt by $(srcip) - $(extra_data)</description>
  </rule>

</group>

Rule IDs in the 100000+ range are reserved for local rules in Wazuh and will not conflict with built-in rules.

Validate Before Restarting

Use wazuh-logtest to confirm the decoder and rules fire correctly before restarting the manager:

sudo /var/ossec/bin/wazuh-logtest

Paste a sample Access Gate event at the prompt:

<130>1 2026-04-24T20:53:10.313Z access-gate vigil 334 ALERT [context@60446 Log="user Alice Salmon logged in using screen CUI Access" Mitre="-----" PrincipalIp="192.168.100.59" Rule="Access Screen Login Attempt"]

A successful result shows Phase 2 completing with decoder access-gate-fields matched, and Phase 3 firing rule 100102.

Once validated, restart the manager:

sudo systemctl restart wazuh-manager

Verify in the Dashboard

Trigger a login event from the Access Gate UI. In the Wazuh dashboard, open Discover, set the time range to the last 15 minutes, and search for rule.id: 100102 or data.srcip: <your IP>. The event should appear with all four fields populated.

Log forwarding and SIEM export — configure the syslog destination on the Access Gate side
Detection and alerts — what populates the alert stream
System logs and diagnostics information — on-box logs for troubleshooting