Cant monitor every yum.log

55 views
Skip to first unread message

Daniel D'Angeli

unread,
Jan 26, 2022, 5:21:23 AM1/26/22
to Wazuh mailing list
Hi,

Wazuh Server / Agent 4.2.5

im trying to monitor the yum.log files to check installed, upgraded and erased apps on Centos7.

When i put this in the agent's ossec.conf it doesnt work:

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/yum.log*</location>
  </localfile>

If i remove the * it gets the single file, so i guess its a wildcard problem.

Any tips?

Regards,
Daniel D.

Jonathan Martín Valera

unread,
Jan 26, 2022, 5:49:17 AM1/26/22
to Wazuh mailing list

Hello,

I have been testing it with an example and it seems to work correctly. I will comment below.

Using this configuration:

<localfile>
    <log_format>syslog</log_format>
    <location>/var/log/yum.log*</location>
</localfile>

I have tested if it really works for the following cases:

  • yum.log
  • yum.logtest

And the result is that I get events whenever any of those files that comply with the yum.log* regex are modified.

Updating yum.log

2022 Jan 26 10:38:06 (agent1) any->/var/log/yum.log Jan 26 05:30:58 Installed: tree-1.6.0-10.el7.x86_64

Updating yum.logtest

2022 Jan 26 10:38:22 (agent1) any->/var/log/yum.logtest Jan 26 05:30:58 Installed: tree-1.6.0-10.el7.x86_64

Can you share the full name or your yum log files or specify more specifically your use case?

Regards.

Daniel D'Angeli

unread,
Jan 26, 2022, 5:52:00 AM1/26/22
to Wazuh mailing list
Hi,

im trying to get files such as "yum.log-20220120" which according to the ossec.log the agent is not monitoring.

Regards,
Daniel D.

Jonathan Martín Valera

unread,
Jan 26, 2022, 8:20:18 AM1/26/22
to Wazuh mailing list

Hi,

With that configuration, I am also receiving events from that files. For example /var/log/yum.log-20220131:

2022 Jan 26 13:06:11 (agent1) any->/var/log/yum.log-20220131 Jan 26 05:30:58 Installed: tree-1.6.0-10.el7.x86_64

Regarding the ossec.log, it seems that in these cases where the wildcard is used, you do not get a log like the following:

Analyzing file: '<your_file>'

But when you use a specific name it does appear:

Analyzing file: '/var/log/yum.log-20220132'

Don’t worry about this, because although the log does not appear, it is being monitored (you can check it in the events received as I have done).

I have to tell you that if a new file is created (after restarting the wazuh-agent with that configuration) that complies with the location regex, there is a default period of 64 seconds in which it starts monitoring the contents of that file (See logcollector.vcheck_files option in https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#logcollector).

For example, imagine the following files exist:

  • /var/log/yum.log-20220120
  • /var/log/yum.log-20220121
  • /var/log/yum.log-20220122

If I apply the above configuration and restart the wazuh-agent, instantly these files will be monitored. But if I create a new file /var/log/log/yum.log-20220123 it will start monitoring after the logcollector.vcheck_files time which is by default 64 seconds.

I hope this has clarified your doubts.

Regards.

Daniel D'Angeli

unread,
Jan 26, 2022, 8:22:15 AM1/26/22
to Wazuh mailing list
Hi,

thanks, i will apply the configuration. 

Have a great day!

Daniel D.

Reply all
Reply to author
Forward
0 new messages