didn't see any logs flow under the archives.log
335 views
Skip to first unread message
Operation Consultant
Oct 23, 2023, 11:37:34 PM10/23/23
to Wazuh | Mailing List
Hello WazuH support Team,
as observed no logs flow under the archives logs.
root@test01:/var/ossec/logs/archives# du -sh archives.log
0 archives.log
0 archives.log
##
root@
test01 :/var/ossec/logs/archives# /var/ossec/bin/wazuh-control -j info
{"error":0,"data":[{"WAZUH_VERSION":"v4.4.4"},{"WAZUH_REVISION":"40411"},{"WAZUH_TYPE":"server"}]}
{"error":0,"data":[{"WAZUH_VERSION":"v4.4.4"},{"WAZUH_REVISION":"40411"},{"WAZUH_TYPE":"server"}]}
root@
test01 :/var/ossec/logs/archives#
Thanks in advance
Henadence Anyam
Oct 24, 2023, 2:16:22 AM10/24/23
to Wazuh | Mailing List
Hello Operation Consultant,
The Wazuh archives refer to the storage files created by the Wazuh
server that contain logs, and other security-related data
collected from monitored endpoints.
It stores all events received by the Wazuh server, whether or not they trip a rule.
By default, Wazuh archives are disabled because they store a large number of logs on the Wazuh server.
Perform the steps below to enable the Wazuh archives on your Wazuh server.
Perform the steps below to enable the Wazuh archives on your Wazuh server.
1.)
Edit the Wazuh manager configuration file /var/ossec/etc/ossec.conf and set the value of the highlighted fields, <logall> and
<logall_json> to yes:
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
...
</ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
...
</ossec_config>
Where:
<logall> option enables or disables archiving of all log messages. When enabled, the Wazuh server stores the logs in a syslog format. The allowed values are yes and no.
<logall_json> option enables or disables logging of events. When enabled, the Wazuh server stores the events in a JSON format. The allowed values are yes and no.
Depending on the format you desire, you can set one or both values of the highlighted fields to yes. However, only the <logall_json>yes</logall_json> option allows you to create an index that can be used to visualize the events on the Wazuh dashboard.
2.) Restart the Wazuh manager to apply the configuration changes:
sudo systemctl restart wazuh-manager
Depending on your chosen format, the file archives.log, archives.json, or both will be created in the /var/ossec/logs/archives/ directory on the Wazuh server.
Kindly follow the
Wazuh archives guide to get detailed information in this regard.
Let me know if you find this information helpful
Best regards.
Reply all
Reply to author
Forward
0 new messages