Monitoring a folder

[Hich]

Hi, 

I have a folder with multiples log files in it, i want my Wazuh Server to analyze each new line in each file of the folder.

My solution is to add in the config file : 

  <syscheck>

    <directories check_all="yes" realtime="yes">buff</directories>

  </syscheck>

The issue is that my Wazuh Agent is crashing after few seconds without specific reason in the log file except this one:

2019/04/30 14:26:55 wazuh-modulesd:syscollector: WARNING: Command 'wmic' returned 1 getting process ID.

There is a mistake in my configuration?

Thank you

[cris...@wazuh.com]

Hi Hich,

You need to indicate the complete path to the directory you want to monitor in the directories option. For example:

<directories check_all="yes" realtime="yes">C:\Users\Username\Docs\buff</directories>

Let me know if it solved your problem. If it did not, it would be good if you could share the last logs of your ossec.log file.

Best regards.

[Hich]

Yes! Thank you, but it's not necessary for monitoring a file.

But i have another question suddenly.

Now the log i have when i add a line into a file in the folder, is saying 

" 

***** QUEUE\DIFF\LOCAL\PROGRAM FILES (X86)\OSSEC-AGENT\BUFF\DF - COPY.TXT\LAST-ENTRY line1 line2

line3 *****

"

But i want each line to be analyze like 3 differents logs. Do you have any idea? i've changed with :

<directories check_all="yes"  whodata="yes" report_changes="yes">

[cris...@wazuh.com]

Hi Hich,

The file changes you see when you use report_changes=yes is the output of FC command in Windows.

If you want to report each new line in that file as a different event, you need to use Logcollector.

<localfile>
  <log_format>syslog</log_format>
  <location>yourfile</location>
</localfile>

Logcollector reports events to the manager but will not generate alerts if you do not have specific rules for it.

Best regards,
Cristobal Lopez.

[Hich]

Hi Cristobal,

Thank you, so this answer is for a file? because i'm trying to monitor a folder with multiples files in it. So when i'm using the name of a folder like this : 

  <localfile>

    <log_format>syslog</log_format>

    <location>buff</location>

  </localfile>

It's telling me " 5-access is denied " .. should i put \buff or the whole link C:\\.... ??

[cris...@wazuh.com]

Hi Hich,

You can only set files in the logcollector configuration. However, since Wazuh 3.9.0 you can use regular expressions in the location field for Windows. For example:

<localfile>
  <log_format>syslog</log_format>
  <location>C:\your_folder\*</location>
</localfile>

Best regards,
Cristobal Lopez.

[Hich]

Hi Cristobal,

Good idea i've tried it. I've upgraded my wazuh manager and my agent in 3.9 but i'm facing an issue, the log format 'eventchannel' seems to not send logs with the same structure than Agents in 3.2, example:

Wazuh Agent  3.9 is sending:

2019/05/07 13:51:43 ossec-agent[9524] win_agent.c:498 at SendMSG(): DEBUG: Sending message to server: '{"Message":"Source: test, Line: 50","Event":"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='test'/><EventID Qualifiers='0'>0</EventID><Level>4</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2019-05-07T11:51:43.000000000Z'/><EventRecordID>104486783</EventRecordID><Channel>test</Channel><Computer>computer</Computer><Security/></System><EventData><Data>Source: test, Line: 500  Data change event</Data></EventDaa></Event>"}'

Wazuh Agent 3.2.* is sending: 

2019/05/07 13:43:08 ossec-agent: DEBUG: Sending message to server: '2019 May 07 13:40:57 WinEvtLog: test: INFORMATION(0): test: (no user): no domain: domain: Source: test.ReadData, Line: 543  Data read issued for group 12'

In both case i'm using this: 

  <localfile>

    <location>test</location>

    <log_format>eventchannel</log_format>

  </localfile>

So the 3.9 is sending something with a structure like JSON and the 3.2 is sending just a line of text. My decoders and rules are made for analyzing logs of 3.2, how can i use 3.9 with sending 3.2's type of logs ?

Thank you

[cris...@wazuh.com]

Hi Hich,

Eventchannel information is sent in JSON format from Wazuh 3.8.0. Therefore, it is not possible for your agent 3.9.0 to send the information in the old format, but the manager is able to receive eventchannel events in old and new format.

Events in JSON do not need decoders, as they are decoded by the JSON decoder in C, facilitating the creation of rules. You can see examples of rules using new event format here.

Best regards,
Cristobal Lopez.

[Hich]

Thank you very much for your help Cristobal!

I've created another topic to continue my work: https://groups.google.com/forum/#!topic/wazuh/Cb4wE4Z1EqI

Regards