Logstash Error Log4j2 Configuration

[jayle...@gmail.com]

Hi,

This is my first time posting this sort of thing so if I need to give more information just let me know. I'm also new to Wazuh and ELK.

I'm running Ubuntu 16.04 on a virtual machine with all the latest necessary updates.

I'm currently not receiving any wazuh-alerts in Kibana under my discover tab. I thought everything was installed and running fine but after checking the status of Logstash I get the following error which I believe is the problem:

ERROR StatusLogger No log4j2 configuration file found. Using default configuration: logging only errors to the console.

I've tried quite a few things and looked all over to find some kind of solution. If you have any suggestions please let me know. Thanks!

[Miguelangel Freitas]

Hi,

The error you see can be ignored in logstash 5.5.0 and above, please check https://discuss.elastic.co/t/logstash-5-5-0-error-statuslogger-no-log4j2-configuration-file-found/92921.

Also, If you are using a single-host architecture you must consider following these steps: 

1.- Edit /etc/logstash/conf.d/01-wazuh.conf, commenting out the entire input section titled “Remote Wazuh Manager - Filebeat input” and uncommenting the entire input section titled “Local Wazuh Manager - JSON file input”. This will set up Logstash to read the Wazuh alerts.json file directly from the local filesystem rather than expecting Filebeat on a separate server to forward the information in that file to Logstash.

2.- Because the Logstash user needs to read alerts.json file, please add it to OSSEC group by running:

$ usermod -a -G ossec logstash

3.- Enable and restart the Logstash service:

$ systemctl daemon-reload
$ systemctl enable logstash.service
$ systemctl restart logstash.service

You could see the above steps in https://documentation.wazuh.com/current/installation-guide/installing-elastic-stack/elastic_server_deb.html#logstash.

After a moment you will see that logstash is accessing the /var/ossec/logs/alerts/alerts.json by using:

lsof /var/ossec/logs/alerts/alerts.json

root@vpc-manager:~# lsof /var/ossec/logs/alerts/alerts.json

COMMAND     PID     USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME

ossec-ana 26048    ossec   10w   REG  202,1    39078 268130 /var/ossec/logs/alerts/alerts.json

java      30543 logstash   46r   REG  202,1    39078 268130 /var/ossec/logs/alerts/alerts.json

Two processes must be accessing the alerts.json file, one is the Wazuh manager and the other one will be logstash identified by the "java" process.

In a single-host architecture, logstash needs read access to alerts.json file in order to parse and forward alerts to elasticsearch and then you should see alerts in Kibana.

I hope this helps, let me know if it works, thanks.

Best Regards.

Miguelangel Freitas

Security Engineer

 

www.wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e4da1dd3-2b2b-4197-93ee-eb06c05d39dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.