How can we monitor Nginx, Apache logs with Wazuh Agent

[Dhiraj Ambigapathi]

So I've wazuh agent installed on a Ubuntu instance. 

I've few doubts for the following.

Can I use the instance to monitor Apache, Nginx Logs? 

Do I need to write decoders for same? 

Does Wazuh support Filebeat, so I can use Filebeat modules for same?

[Benjamin Nworah]

Dear Dhiraj,

Thank you for choosing Wazuh.

You can easily ingest your apache/nginx log into Wazuh. To achieve this, follow the below steps:

1- Add the below configuration on the Wazuh agent by editing the /var/ossec/etc/ossec.conf file
<localfile>

<location>/path/to/apache/access.log</location>
<log_format>syslog</log_format>
</localfile>

2- Restart the Wazuh agent for your changes to take effect.
systemctl restart wazuh-agent 

    OR 

service wazuh-agent restart

Wazuh has decoders for both apache, and nginx:

https://github.com/wazuh/wazuh-ruleset/tree/master/decoders

If the above decoders do not match your logs, you an easily create custom decoder and also rules. You can refer to this link to create custom decoder and rules.
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Please let me know if this helps.

Regards,