Monitoring custom log file on a remote endpoint

[Tristan]

Hi Wazuh team, hope you're doing well

I'm running into some issues with specific logs which should be monitored by one of my Wazuh agent.

The log format is as follows :

[2025-12-10 16:04:40] [MAIL AUTOMATIQUE] Transfert APP vers DB - Résultat du transfert de données
Succès : Le transfert des données pour la table APPRECORDS_TASK a été effectué avec succès.
Succès : Le transfert des données pour la table APPRECORDS_SERVICE a été effectué avec succès.
Succès : Le transfert des données pour la table APPSTAT_AGENT_D a été effectué avec succès.
Succès : Le transfert des données pour la table APPSTAT_GROUP_D a été effectué avec succès.
Succès : Le transfert des données pour la table APPSTAT_SERVICE_D a été effectué avec succès.
Succès : Le transfert des données pour la table APPSTAT_SERVICEMAIL_D a été effectué avec succès.
Succès : Le transfert des données pour la table APPSTAT_AGENTBYSERVICE_D a été effectué avec succès.
Succès : Le transfert des données pour la table APPSTAT_AGENTBYSERVICEMAIL_D a été effectué avec succès.
Succès : Le transfert des données pour la table APPSTAT_QUALIFBYSERVICE_D a été effectué avec succès.
Succès : Le transfert des données pour la table APPSTAT_QUALIFBYAGENTBYSERVICE_D a été effectué avec succès.
Durée totale de traitement : 00:00:01
----------------------------------------

Those events are related to one operation and should be treated as one log. In order to achieve that, I added the following configuration on the manager, into the agent.conf of the group which the host is part of :

  <agent_config name="^SERVER-HOST1$">
    <localfile>
      <location>C:\transfert_test.log</location>
      <log_format>multi-line-regex</log_format>
      <multiline_regex replace="wspace" match="end">^Dur.. totale de traitement : \d{2}:\d{2}:\d{2}</multiline_regex>
    </localfile>
  </agent_config>

At this point, the following things are working :

- The agent monitors the file

- When events are written in the log file, the Wazuh manager receives the event

However, my main issue is that the manager only receives the first character of the log. Here is a portion of the archives.log file when the event is received by the manager :

2025 Dec 11 15:43:01 ( SERVER-HOST1  ) any->C:\ transfert_test.log [

I tried playing around with the regex and the type of multiline_regex used (end, start), but it just doesn't work.

Would you have any idea how I can solve this issue ?

Best regards,

Tristan

[Olamilekan Abdullateef Ajani]

Hello Tristan,

Can you try the localfile multi-regex configuration below? I used it, and it worked based on your log. You can check the attached image for reference.

   <localfile>
<log_format>multi-line-regex</log_format>
<location>C:\temp-file2\testing.log</location>
<multiline_regex replace="wspace">^\[</multiline_regex>
  </localfile>

You can check out other configuration parameters for multi-line regex here: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#multiline-regex

Please note you can customize this based on your logs depending on how it is generated, the above is just a sample of how you can achieve ingestion.

[Tristan]

Hi  Olamilekan, thanks a lot for you feedback.

I modified my multiline-regex as you suggested it. However, I'm still receiving empty logs.

I don't know if this matters but to test my configuration, i'm copying the logs from the real log file to a test file using the following Powershell command :

Get-Content "C:\app\logs\transfert.log" >> .\transfert_test.log

Here is the output of archives.json when I tried your configuration :

{"timestamp":"2025-12-12T09:17:36.554+0100","agent":{"id":"019","name":" SERVER-HOST1  ","ip":"192.168.1.100"},"manager":{"name":"wazuh-manager"},"id":"1765527456.704277947","full_log":"[","decoder":{},"location":"C:\\transfert_test.log"}

It seems like the decoder just stops at the first [ in the log.

[Olamilekan Abdullateef Ajani]

Hello Tristan,

I used the log you shared initially to test, and you can see the outcome in the image attached to my response. For this to work, we need to know the starting point for each log, that is, how the multiline regex knows how to handle the log and when to parse it to the manager.

If the same config I shared with you did not work, that means the log line is not accurate or is missing some vital information. When you copy the log file from transfert.log to transfert_test.log, the logs are read line by line. If 5 lines make a complete log, we need to identify those parameters and configure multiline regex appropriately.

In the log you shared, I used the sample localfile option:

<localfile>
<log_format>multi-line-regex</log_format>
<location>C:\temp-file2\testing.log</location>
<multiline_regex replace="wspace">^\[</multiline_regex>
  </localfile>

Because I assumed your log begins with the below:

[2025-12-10 16:04:40] [MAIL AUTOMATIQUE] Transfert APP vers DB - Résultat du transfert de données

That tells the Wazuh agent whenever you see a line that starts with [, begin capturing all lines below it as one log message until the next log starts, and then wspace, replaces newline characters in the multi-line block with a single whitespace.

This explains why I was able to capture the log.

With the information above, please review the actual log and share a sample so I can understand the log structure.

Regards,