Wazuh Integration
Trapster has no dedicated Wazuh settings page. Use syslog or Community log forwarding.
Option 1 - Syslog to Wazuh manager (recommended)
Wazuh manager - enable remote syslog
In /var/ossec/etc/ossec.conf, add a remote syslog listener:
xml
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>your-trapster-ip/32</allowed-ips>
</remote>Trapster Enterprise - configure syslog
Go to Settings > Integrations > Syslog and point at your Wazuh manager IP on port 514 (UDP or TCP). Trapster sends CEF messages.
See Syslog for all Trapster-side options including TLS.
Custom Wazuh rule
Add a rule to raise alerts on Trapster CEF events. Adjust the decoder to match your CEF field layout:
xml
<rule id="100200" level="12">
<match>Trapster|cef</match>
<description>Trapster honeypot triggered</description>
<group>honeypot,trapster</group>
</rule>Option 2 - Community file or API logger
Forward JSON or ECS events from Community Edition using file logging or the API logger, then ingest with Filebeat, Wazuh agent, or a custom pipeline.
Set "format": "ecs" in the Community logger when you want ECS-native events in Elastic Stack or Wazuh.
