Skip to content

Wazuh Integration

Trapster has no dedicated Wazuh settings page. Use syslog or Community log forwarding.

Wazuh manager - enable remote syslog

In /var/ossec/etc/ossec.conf, add a remote syslog listener:

xml
<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>udp</protocol>
  <allowed-ips>your-trapster-ip/32</allowed-ips>
</remote>

Trapster Enterprise - configure syslog

Go to Settings > Integrations > Syslog and point at your Wazuh manager IP on port 514 (UDP or TCP). Trapster sends CEF messages.

See Syslog for all Trapster-side options including TLS.

Custom Wazuh rule

Add a rule to raise alerts on Trapster CEF events. Adjust the decoder to match your CEF field layout:

xml
<rule id="100200" level="12">
  <match>Trapster|cef</match>
  <description>Trapster honeypot triggered</description>
  <group>honeypot,trapster</group>
</rule>

Option 2 - Community file or API logger

Forward JSON or ECS events from Community Edition using file logging or the API logger, then ingest with Filebeat, Wazuh agent, or a custom pipeline.

Set "format": "ecs" in the Community logger when you want ECS-native events in Elastic Stack or Wazuh.