Monitoring GlassFish Logs with Wazuh – Logs Not Appearing in Dashboard

42 views
Skip to first unread message

Mohamed NOUISSEL

unread,
Mar 14, 2025, 10:21:01 AM3/14/25
to Wazuh | Mailing List

Hello Wazuh community,

I want to monitor the logs of my GlassFish server using Wazuh. I added the following configuration in my Wazuh agent's /var/ossec/etc/ossec.conf:


<localfile>
  <log_format>syslog</log_format>  
  <location>/home/user/server.log</location>  
</localfile>


However, the logs from this file do not appear in the Wazuh dashboard, even though logs from other files are displayed correctly.

Could there be a log format issue preventing these logs from being processed?

Here is an example of a GlassFish log entry:


[2025-03-14T10:36:37.159846Z] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=1400 _ThreadName=http-listener-1(10)] [levelValue: 800] [[
  67417556 [http-listener-1(10)] DEBUG ma.toto.server.DataObjectService  - findDataObjectById 5300]]


  Could you please help me identify the issue  

MOUSSA EL HAJRAOUI

unread,
Mar 14, 2025, 10:30:00 AM3/14/25
to Mohamed NOUISSEL, Wazuh | Mailing List
Hi there,
The log sample you provided is not Syslog protocol 
To do so you'll need to configure your server to generate syslog compliant log

GlassFish can generate Syslog-formatted logs, but it requires configuration changes. GlassFish uses Java Util Logging (JUL) by default, which can be redirected to a Syslog server.

Methods to Enable Syslog Logging in GlassFish

1. Using GlassFish Logging Configuration

You can configure GlassFish to send logs to a Syslog server via the logging.properties file.

Steps:

  1. Locate logging.properties in your GlassFish domain: 
    /glassfish/domains/your-domain/config/logging.properties
  2. Add or modify this line to redirect logs to a Syslog server (adjust IP and port as needed): 
    java.util.logging.FileHandler.pattern = /var/log/glassfish.log
    java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter
handlers = java.util.logging.ConsoleHandler, com.sun.enterprise.server.logging.SyslogHandler
com.sun.enterprise.server.logging.SyslogHandler.host = 192.168.1.100
com.sun.enterprise.server.logging.SyslogHandler.port = 514
  3. Restart GlassFish: 
    asadmin restart-domain your-domain

2. Using Log4j with SyslogAppender

If your application uses Log4j, you can configure SyslogAppender in log4j.xml or log4j.properties:

Example (log4j.properties):

log4j.rootLogger=INFO, SYSLOG

log4j.appender.SYSLOG=org.apache.log4j.net.SyslogAppender
log4j.appender.SYSLOG.SyslogHost=192.168.1.100
log4j.appender.SYSLOG.Facility=LOCAL0
log4j.appender.SYSLOG.layout=org.apache.log4j.PatternLayout
log4j.appender.SYSLOG.layout.ConversionPattern=%d{ISO8601} %p %c - %m%n

Example (log4j.xml):

<Appender name="SYSLOG" class="org.apache.log4j.net.SyslogAppender">
    <param name="SyslogHost" value="192.168.1.100"/>
    <param name="Facility" value="LOCAL0"/>
    <layout class="org.apache.log4j.PatternLayout">
        <param name="ConversionPattern" value="%d{ISO8601} %p %c - %m%n"/>
    </layout>
</Appender>

<Root>
    <priority value ="info" />
    <appender-ref ref="SYSLOG"/>
</Root>

Restart your application for changes to take effect.

3. Using rsyslog to Forward Logs

If your GlassFish logs are written to a file (server.log), you can configure rsyslog to forward them to a Syslog server.

Steps:

  1. Edit /etc/rsyslog.conf or create a new file in /etc/rsyslog.d/glassfish.conf: 
    $InputFileName /path/to/glassfish/server.log
    $InputFileTag glassfish
$InputFileStateFile glassfish
$InputFilePersistStateInterval 100
$InputRunFileMonitor
*.* @192.168.1.100:514
  2. Restart rsyslog: 
    systemctl restart rsyslog
Hope this helps

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/29fafab8-a2b6-4905-ae65-70a15a88bcedn%40googlegroups.com.

Mohamed NOUISSEL

unread,
Mar 14, 2025, 10:50:06 AM3/14/25
to Wazuh | Mailing List

Thank you for your response, sir.

We have multiple production servers that we want to monitor with Wazuh, and we cannot restart GlassFish to apply the new configuration.

Is there a way to achieve this in Wazuh without restarting GlassFish? Perhaps by creating a custom decoder or using another method?

I appreciate your guidance.

Olamilekan Abdullateef Ajani

unread,
Mar 14, 2025, 10:59:09 AM3/14/25
to Wazuh | Mailing List
Hello Mohamed,

You are experiencing this because Wazuh doe s not understand how to decode your logs, there are no in-built decoders for glassfish currently, you need to write decoders and rules to match your logs. To do this, you need to enable archives and share the glassfish logs from archives.json file.

You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
  <global>
    ----  
    <logall>no</logall>
    <logall_json>yes</logall_json>    
   -----
  </global>
  -----
</ossec_config>
Then restart the Wazuh-manager.
systemctl restart wazuh-manager

cat /var/ossec/logs/archives/archives.json | grep -i -E "part of your log"
Verify that you have the logs, then disable archiving by setting the values to no. Please verify the logs in the file. You can find reference on creating decoders and rules below.

If you need further assistance on this, please share the logs from the archives.json file in text format.

MOUSSA EL HAJRAOUI

unread,
Mar 14, 2025, 11:16:43 AM3/14/25
to Mohamed NOUISSEL, Wazuh | Mailing List
You can start by this decoder like:

<decoder name="glassfish">
        <prematch>jakarta.enterprise.logging</prematch>
</decoder>

<decoder name=" glassfish_child">
        <parent>decoder</parent>
        <regex>_ThreadID=(\.+) </regex>
        <order>_ThreadID</order>
</decoder>

<decoder name=" glassfish_child">
        <parent>decoder</parent>
        <regex>_ThreadName=(\.+)] </regex>
        <order>_ThreadName</order>
</decoder>

<decoder name=" glassfish_child  ">
        <parent>decoder</parent>
        <regex> path = (\.+)</regex>
        <order>path</order>
</decoder>

Log test gives this
**Messages: WARNING: (7003): 'c2222e64' token expires INFO: (7202): Session initialized with token '15fdc0e4' **Phase 1: Completed pre-decoding. full event: '[2025-03-14T10:36:37.159846Z] [GF 7.0.12] [INFO] [] [jakarta.enterprise.logging.stdout] [tid: _ThreadID=1400 _ThreadName=http-listener-1(10)] [levelValue: 800] [[' **Phase 2: Completed decoding. name: 'decoder' _ThreadID: '1400' _ThreadName: 'http-listener-1(10)' **Phase 1: Completed pre-decoding. full event: ' 67417556 [http-listener-1(10)] DEBUG ma.toto.server.DataObjectService - findDataObjectById 5300]]' **Phase 2: Completed decoding. name: 'UB24'

To view this discussion visit https://groups.google.com/d/msgid/wazuh/f80d9652-80fa-43d9-bf07-1b76457b6043n%40googlegroups.com.

MOUSSA EL HAJRAOUI

unread,
Mar 14, 2025, 11:28:31 AM3/14/25
to Mohamed NOUISSEL, Wazuh | Mailing List
Hi there
Please correct the parent name to glassfish

<decoder name="glassfish">
        <prematch>jakarta.enterprise.logging</prematch>
</decoder>

<decoder name="glassfish_child">
        <parent>glassfish</parent>

        <regex>_ThreadID=(\.+) </regex>
        <order>_ThreadID</order>
</decoder>

<decoder name="glassfish_child">
        <parent>glassfish</parent>

        <regex>_ThreadName=(\.+)] </regex>
        <order>_ThreadName</order>
</decoder>

<decoder name="glassfish_child  ">
        <parent>glassfish</parent>

        <regex> path = (\.+)</regex>
        <order>path</order>
</decoder>
Reply all
Reply to author
Forward
0 new messages