Archives.log
65 views
Skip to first unread message
Jymmy Hands
Aug 25, 2023, 12:26:40 PM8/25/23
to Wazuh | Mailing List
I cannot see the log events of one of the teams that I am adding to wazuh, I run the cat command to see the events of the teams and I only see the events of the first installed team but not the second. However, with a tcpdump I see that both computers are sending me logs.
sudo cat /var/ossec/logs/archives/archives.log | grep waf
show the logs
sudo cat /var/ossec/logs/archives/archives.log | grep vpn
does not show the logs
Marcos Darío Buslaiman
Aug 25, 2023, 1:53:16 PM8/25/23
to Wazuh | Mailing List
Hi Jymmy,
In case the agent is connected (active status), you can enable the logall_json parameter in the Wazuh-Manager configuration and then check archives.json to see if you are receiving events from this agent.
On Wazuh Manager you need to enable the logall_json option to yes.
It is important to take into account that by activating this, all the events of all the agents that you have connected will be written to this log, therefore you must be careful with disk space.
Please, let me know if this helped or if I did not understand your question please ask for more information about the problem.
Thanks for using Wazuh!
If I understand correctly, you have added agents to Wazuh Manager and you are not receiving events from one of them.
For this, I would recommend you review the following:
From the Wazuh UI Menu --> Agents, is the agent listed? In which status?
Here you can find more information about Agent status https://documentation.wazuh.com/current/user-manual/agents/agent-life-cycle.html
In Wazuh Manager the log /var/ossec/logs/ossec.log and search there by agentID if it has it or by IP, to verify if the agent is able to connect to Wazuh Manager.
In the agent, depending on the OS, you can review the following logs.
Windows: C:\Program Files (x86)\ossec-agent\ossec.log
For this, I would recommend you review the following:
From the Wazuh UI Menu --> Agents, is the agent listed? In which status?
Here you can find more information about Agent status https://documentation.wazuh.com/current/user-manual/agents/agent-life-cycle.html
In Wazuh Manager the log /var/ossec/logs/ossec.log and search there by agentID if it has it or by IP, to verify if the agent is able to connect to Wazuh Manager.
In the agent, depending on the OS, you can review the following logs.
Windows: C:\Program Files (x86)\ossec-agent\ossec.log
Linux: /var/ossec/logs/ossec.log
Here you can find information about agent's installation on different OS
Here you can find information about agent's installation on different OS
In case the agent is connected (active status), you can enable the logall_json parameter in the Wazuh-Manager configuration and then check archives.json to see if you are receiving events from this agent.
On Wazuh Manager you need to enable the logall_json option to yes.
Like here:
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>yes</logall_json>
</global>
</ossec_config>
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>yes</logall_json>
</global>
</ossec_config>
It is important to take into account that by activating this, all the events of all the agents that you have connected will be written to this log, therefore you must be careful with disk space.
Please, let me know if this helped or if I did not understand your question please ask for more information about the problem.
Regards
Marcos Darío Buslaiman
Aug 28, 2023, 3:38:24 PM8/28/23
to Wazuh | Mailing List
Hi Jymmy,
I would like to add a few things to my previous answer.
Is it possible that you need to create some custom decoders and rules, I hope to see those events on archives.json to analyze and create these custom rules and decoders based on that.(If the logall_json is enabled).
I would like to add a few things to my previous answer.
Is it possible that you need to create some custom decoders and rules, I hope to see those events on archives.json to analyze and create these custom rules and decoders based on that.(If the logall_json is enabled).
Regarding the VPN logs, Are you sending those logs from your device directly to Wazuh-Manager or Are you using an Agent?
Regards!
Reply all
Reply to author
Forward
0 new messages