Error in Agent Log for IIS Eventchannel

[trail DMARC]

Hi, 

Please need your support to resolve the error happened in agent side while configuring iis logs through eventchannel.

("ERROR: Could not EvtSubscribe() for (Microsoft-Windows-IIS-Logging/Logs) which returned (15007)")

In IIS server both location activated for logging and logs are generated in both as well.

When we configure local file as below no error appear and logs are getting in wazuh  archive

<localfile>
    <location>%SystemDrive%\inetpub\logs\LogFiles\W3SVC2\*.log</location>
    <log_format>iis</log_format>
</localfile>

Please need a advice to resolve the above issue as we need to configure using eventchannel only.

Best Regrads,

[Marcos Darío Buslaiman]

Hi,
Thanks for using Wazuh!
I will help you with this issue, according the error 15007 seems the channel could not be found
Please could you share with me the ossec.conf file of your agent? (please remove all sensitive data).
Could you send me the XML view of Event viewer for the  "Microsoft-Windows-IIS-Logging"

Best Regards!

[Marcos Darío Buslaiman]

Hi,
Also, please try again changing your location using instead of "*" use "%y%m%d" like this example below:
<localfile>
<location>%SystemDrive%\inetpub\logs\LogFiles\W3SVC1\u_ex%y%m%d.log</location>
<log_format>iis</log_format>
</localfile>
Ref. Doc. https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/log-data-configuration.html#using-environment-variables