Custom logs not captured
Bayu Sangkaya (bayusky.labs)
Nov 26 19:38:06 WIN-PSJ5OUAUCR5 browser-monitor: 2025-11-26 19:37:32 Edge Default https://www.bing.com/search?q=testing&cvid=83a4708523434de89ffd89b99a634f35&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQABhAMgYIAhAAGEAyBggDEAAYQDIGCAQQABhAMgYIBRAAGEAyBggGEAAYQDIGCAcQABhAMgYICBAAGEDSAQgxNDA0ajBqOagCBrACAQ&FORM=ANAB01&PC=U531 testing - Search
Nov 26 19:43:06 WIN-PSJ5OUAUCR5 browser-monitor: 2025-11-26 19:42:43 Edge Default http://manhuaplus.com/ Home - ManhuaPlus
Nov 26 19:43:06 WIN-PSJ5OUAUCR5 browser-monitor: 2025-11-26 19:42:43 Edge Default https://manhuaplus.com/ Home - ManhuaPlus
Nov 26 20:01:07 WIN-PSJ5OUAUCR5 browser-monitor: 2025-11-26 20:00:49 Edge Default http://sslazio.it/ Home | S.S. Lazio
<localfile>
<location>C:\BrowserMonitor\browser_history.log</location>
<log_format>syslog</log_format>
<out_format>monitor: $(log)</out_format>
</localfile>
Location in Windows is C:\BrowserMonitor\browser_history.log
Location in Linux is /home/username/.browser-monitory/browser_history.log
<decoder name="browser-monitor-log">
<prematch>browser-monitor</prematch>
<regex>browser-monitor: (\S+ \S+) (\S+) (\S+) (\S+) (\.+)</regex>
<order>timestamp,browser_name,profile,url,title</order>
</decoder>
<group name="browser_history">
<rule id="980001" level="3">
<decoded_as>browser-monitor-log</decoded_as>
<description>Browser History</description>
</rule>
</group>
monitor: Nov 26 19:43:06 WIN-PSJ5OUAUCR5 browser-monitor: 2025-11-26 19:42:43 Edge Default https://manhuaplus.com/ Home - ManhuaPlus
**Phase 1: Completed pre-decoding.
full event: 'monitor: Nov 26 19:43:06 WIN-PSJ5OUAUCR5 browser-monitor: 2025-11-26 19:42:43 Edge Default https://manhuaplus.com/ Home - ManhuaPlus'
**Phase 2: Completed decoding.
name: 'browser-monitor-log'
browser_name: 'Edge'
profile: 'Default'
timestamp: '2025-11-26 19:42:43'
title: 'Home - ManhuaPlus'
url: 'https://manhuaplus.com/'
**Phase 3: Completed filtering (rules).
id: '980001'
level: '3'
description: 'Browser History'
groups: '['browser_history']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.
But in dashboard, whether it's wazuh-alerts or wazuh-archives, the alerts never generated.
Where did I do wrong?
Regards,
Bayu Sangkaya
Marcos Darío Buslaiman
Based on your explanation, the rule is being triggered, and since it has level 3, it should be indexed in the wazuh-alerts-* index.
To verify this end-to-end, here is the complete event flow:
1. The event is detected
The original event should look like:
When the agent reads this line, it forwards it to the Wazuh Manager. (with the outformat added)
2. Wazuh Manager receives and processes the event
-
If you have logall_json = yes enabled in the Manager ossec.conf, the raw event will be written to:
-
If the event matches a rule (as you mentioned), the Manager will also log the alert in:
So at this stage, you should be able to confirm:
-
The raw event → in archives.json
-
The triggered alert → in alerts.json
3. Filebeat sends the alert to Wazuh Indexer
If the alert exists in alerts.json, Filebeat should send it to the Indexer.
If there are no errors in Filebeat or Indexer, the alert will be ingested into:
To confirm this step, please check:
-
Filebeat logs:
/var/log/filebeat/filebeat -
Wazuh Indexer cluster logs:
/var/log/wazuh-indexer/wazuh-cluster.log
These logs will show if Filebeat is sending the alert correctly or if the Indexer is rejecting it.
Bayu Sangkaya (bayusky.labs)
It's present in alerts.json, but not present in Dashboard
{"timestamp":"2025-11-27T12:17:02.334+0000","rule":{"level":3,"description":"Browser History","id":"980001","firedtimes":7,"mail":false,"groups":["browser_history"]},"agent":{"id":"034","name":"DESKTOP-F2OLG1C","ip":"192.168.1.100"},"manager":{"name":"soc-lab.bayuskylabs.com"},"id":"1764245822.365082377","full_log":"monitor: Nov 27 19:17:00 DESKTOP-F2OLG1C browser-monitor: 2025-11-27 19:16:28 Edge Default https://soc-labs.bayuskylabs.com/app/threat-hunting#/health-check Wazuh","decoder":{"name":"browser-monitor-log"},"data":{"url":"https://soc-labs.bayuskylabs.com/app/threat-hunting#/health-check","timestamp":"2025-11-27 19:16:28","browser_name":"Edge","profile":"Default","title":"Wazuh"},"location":"c:\\browsermonitor\\browser_history.log"}
Regards,
Bayu Sangkaya
Marcos Darío Buslaiman
Filebeat logs:
/var/log/filebeat/filebeatWazuh Indexer cluster logs:
/var/log/wazuh-indexer/wazuh-cluster.log
Sometimes, the values you are trying to index have conflicts, and they are not indexed. Checking the data of your alerts, maybe you can change the field name "timestamp" to avoid any possible conflict with the name. You can add a prefix to all the fields in your decoder to make them unique.
"data": {
"mon_browser_name": "Edge",
"mon_profile": "Default",
"mon_timestamp": "2025-11-27 19:16:28",
"mon_title": "Wazuh",
"mon_url": "https://soc-labs.bayuskylabs.com/app/threat-hunting#/health-check"
}
Bayu Sangkaya
There's a conflict.
Now it's all correct.
Thanks a lot Marcus.
Regards,
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/-BAf-Kp84Zk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/11cf01b0-86a3-4094-a14e-64f375ad3456n%40googlegroups.com.