Pulling Logs Through Command

[Dhiraj Ambigapathi]

So I want to pull Docker logs through command, I went through documentation and came across <full_command> which allows to perform this. I setup the config in ossec.conf and checked logs too in ossec.log and it seemed to be working. But I did not get any logs on wazuh manager end. The Docker Logs are JSON so I tested them through wazuh-logtest and it worked.

Ossec.conf

reverse is container name.
ossec.log

wazuh-logtest

[Manuel Jose Cano Rojo]

Hi Dhiraj!

It seems your <localfile> configuration is not correctly set, since there is no location to read the file you want retrieve the logs from. You can check our official documentation regarding the <localfile> setting in order to understand its usage and configuration options.

For your particular case, I would suggest you look at this blog, where we explain how to perform the same thing you want to, step by step.

Let me know if this helps and feel free to ask anything else!

Regards,

Manuel.

[Dhiraj Ambigapathi]

Hi Manuel,
I followed the blog step by step, but the logs for reverse proxy docker are not being created.

I've checked this couple of times, rsyslog creates log but only for docker process and not containers.

[Jose Luis Carreras Marin]

Hello Dhiraj

My partner Manu is out on vacation, I will try to help you as much as possible.
I see that the problem then may be in the rsyslog configuration. It should create and tag the container logs in the /var/log/docker/docker.log file.
Can you check that part of the guide, permissions, file creation, rsyslog configuration to see what could be happening?

Greetings,

Jose

[Dhiraj Ambigapathi]

Hi Jose,
Following is rsyslog.d configuration
$FileCreateMode 0644
$template DockerDaemonLogFileName,"/var/log/docker/docker.log"
$template DockerContainerLogFileName,"/var/log/docker/%SYSLOGTAG:R,ERE,1,FIELD:docker/(.*)\[--end:secpath-replace%.log"
if $programname == 'dockerd' then {
  ?DockerDaemonLogFileName
  stop
}
if $programname == 'containerd' then {
  ?DockerDaemonLogFileName
  stop
}
if $programname == 'docker' then {
  if $syslogtag contains 'docker/' then {
  ?DockerContainerLogFileName
  stop
  }
}
$FileCreateMode 0600

[Manuel Jose Cano Rojo]

Hello Dhiraj,

Could you finally solve this issue? Let me know if I can help you!

Regards,

Manuel.

[Dhiraj Ambigapathi]

Hi Manuel,

I did solve this issue.

Thanks

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/gh7nDHMd0nY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d5fd4aaa-c3ef-4c0c-9cd4-c13ec320e956n%40googlegroups.com.