Integrating Wazuh with ConcealBrowse Integrating Wazuh with ConcealBrowse

Integrating Wazuh with ConcealBrowse


The following guide covers the procedures necessary to integrate ConcealBrowse and Wazuh, the widely used open source XDR/SIEM platform.

Applies to

  • Windows 10+
  • MacOS
  • Google Chrome
  • Microsoft Edge
  • ConcealBrowse Version 0.10.0+
  • Wazuh 4.4.5+


We will be following the Wazuh documentation guide to setup syslog forwarding found here: 

This guide does not cover setting up TLS for syslog. Details for this can be found here:

  1. In order to get data into Wazuh, ConcealBrowse requires a Syslog forwarder running the Wazuh agent. We also need a configure rsyslog to write ConcealBrowse messages to it’s own log file. This is done by editing /etc/rsyslog.conf and adding the following settings:

    # provides TCP syslog reception


    input(type="imtcp" port="514")

    if $programname=='' then /var/log/conceal.log

    & ~


  2. Once complete, verify that ConcealBrowse events are being written to the “conceal.log” file. Wazuh.png
  3. Next, we need to tell the Wazuh agent to monitor the new “conceal.log” file. Do so by editing the /var/ossec/etc/ossec.conf file and add the following stanza (restart the agent after the change):




  4. Verify that things are working properly by going to “Log Collection” in your Wazuh instance settings:
    Screenshot 2023-07-28 at 1.59.22 PM.png
  5. Next, we need a rule to be triggered when new ConcealBrowse events occur. Go to the “rules” section and edit “local_rules.xml:
    Screenshot 2023-07-28 at 2.07.27 PM.png
  6. Add the following rule:

    <group name="syslog,conceal-custom,">

      <rule id="100005" level="5">

        <description>application conceal logs</description>

        <match>Conceal API Post Process</match>


  7. Next, verify that Alerts are being surfaced:
    Screenshot 2023-07-28 at 2.11.46 PM.png

  8. View Alert content:
    Screenshot 2023-07-28 at 2.03.08 PM.png

If you run into issues, your firewall could be blocking certain IP addresses needed to send the data. Whitelist the following IP addresses if necessary:,,,,,,


*Never hesitate to contact your Customer Success Manager for any questions or concerns. You may also open a support ticket at by scrolling to the bottom and clicking Submit a request.