How to collect systems, Applications, IIS and FTP logs

[Prajapati Hitesh]

Hello Team,

I need your help to collect the below logs. I request that you provide steps for configuration.

1)Systems

2) Application

3) IIS

4) FTP

[Prajapati Hitesh]

And how to check that logs in Wazuh manager.

[Francis Timilehin Jeremiah]

Hello, thanks for using Wazuh. 

Wazuh uses the Log collector module on Wazuh agents/server to collect desired logs from monitored endpoints. Look at our documentation for a detailed description of this module and how it works. By default, the Wazuh agent on Windows endpoint collects Systems and Application logs but you will need extra configuration for IIS and FTP log collection. 

To configure the Wazuh agent to monitor a log file, edit your agent configuration file C:\Program Files (x86)\ossec-agent\ossec.conf like below depending on the log format. Then, restart the Wazuh agent.

<localfile>
  <location>/<FILE_PATH>/file.log</location>
  <log_format>syslog</log_format>
</localfile>

To verify that the log file is being monitored, check the agent configuration file. To confirm that logs are being collected by the Wazuh server, you need to enable the Wazuh archives. When the Wazuh archives are enabled, all logs, both the ones with detection rules and those that do not have detection rules will be collected and logged on the Wazuh server. Note that enabling the Wazuh archives will consume more disk space on the Wwazuh server.

I hope this helps!

[Prajapati Hitesh]

Hi Francis,

For IIS, I'm getting logs, and they're displayed in WAZUH Manager. 

FTP logs do not display in the WAZUH Manager, but logs started analyzing FTP log files. 

Attached are pics for your review.

[Francis Timilehin Jeremiah]

Change the log format like this  <log_format>syslog</log_format> and restart the agent.

[Prajapati Hitesh]

Hi Francis,

Sorry for the late update. The issue has been resolved.