Multiple Azure storage account integration on a single node wazuh deployment

[CJK]

Hi Team,

I am running wazuh 4.14.2 on my Azure infra and i have integrated diffrent log sources via azure storage account. under <wodle name="azure-logs"> and under <storage>

I am already collecting logs from AKS, LB, etc on my storage account1 now for other services i need to integrate one more stoarge account with diffrent creds which have the logs inside it. 

While reffering the wazuh doc (#microsoft-azure-storage)  i came to know that we cannot add diffrent storage account and creds on same path as it mentioned "The file must contain only two lines" if so how will I integrate multipe storage accounts.? is it possible to have multiple <storage> tag on same ossec.conf? Can some one help me on this?

Thanks & regards

Clint

[victor....@wazuh.com]

Yes, it is possible to integrate multiple Azure storage accounts within a single configuration. The limitation regarding the "two-line file" applies strictly to the individual authentication files, not to the number of storage accounts you can define.

To achieve this, you must define multiple <storage> blocks within the same <wodle name="azure-logs"> section, with each block referencing a unique credential file.

First, you need to create separate authentication files. Each storage account requires its own credential file. These files must contain exactly two lines: the account name and the account key.

File 1: /var/ossec/wodles/azure/credentials/auth_storage_1

account_name=<STORAGE_ACCOUNT_1_NAME>
account_key=<STORAGE_ACCOUNT_1_KEY>

File 2: /var/ossec/wodles/azure/credentials/auth_storage_2

account_name=<STORAGE_ACCOUNT_2_NAME>
account_key=<STORAGE_ACCOUNT_2_KEY>

Check the Monitoring Azure platform and services documentation for more information regarding the access credentials.

Then, update the ossec.conf to include a separate <storage> tag for each account. You can specify different containers, blobs, and tags for each account to distinguish the logs in the Wazuh manager. For example:

<wodle name="azure-logs">
   <disabled>no</disabled>
   <run_on_start>yes</run_on_start>
   <interval>1d</interval>

     <storage>

           <auth_path>/home/manager/Azure/storage_auth1.txt</auth_path>
           <tag>azure-activity1</tag>

           <container name="insights-logs-auditlogs">
               <blobs>.json</blobs>
               <content_type>json_inline</content_type>
               <time_offset>24h</time_offset>
           </container>

   </storage>

   <storage>

           <auth_path>/home/manager/Azure/storage_auth2.txt</auth_path>
           <tag>azure-activity2</tag>

           <container name="insights-logs-auditlogs2">
               <blobs>.json</blobs>
               <content_type>json_inline</content_type>
               <time_offset>24h</time_offset>
           </container>

   </storage>
</wodle>

After making changes, verify the configuration and restart the manager

Both storages should be monitored, generating logs like the following:

2026/02/26 11:10:02 wazuh-modulesd:azure-logs: INFO: Module started.
2026/02/26 11:10:02 wazuh-modulesd:azure-logs: INFO: Starting fetching of logs.
2026/02/26 11:10:02 wazuh-modulesd:azure-logs: INFO: Starting Storage log collection for 'azure-activity1'.
...
2026/02/26 11:10:02 wazuh-modulesd:azure-logs: INFO: Finished Storage log collection for container 'insights-logs-auditlogs'.

...
2026/02/26 11:10:02 wazuh-modulesd:azure-logs: INFO: Finished Storage log collection for 'azure-activity1'.

...
2026/02/26 11:10:02 wazuh-modulesd:azure-logs: INFO: Starting Storage log collection for 'azure-activity2'.
...
2026/02/26 11:10:03 wazuh-modulesd:azure-logs: INFO: Finished Storage log collection for container 'insights-logs-auditlogs2'.

Take into account that if you are monitoring a very high volume of logs across many storage accounts, consider adjusting the <interval> to prevent overlap in processing cycles.

Let me know if you have further issues with the integration.

[CJK]

Thanks.