Docker logs error
Steeven Sánchez
We are integrating Wazuh with an automation flow in n8n that generates logs in a local file. The flow works correctly internally: the file is created, the events are written, and the content is visible both on the server and within the container where n8n runs.
The problem is as follows:
Wazuh does not detect any of the events that n8n writes to the file.
However, if we edit the file manually (for example, by adding a period at the end of the file and saving), Wazuh immediately detects the change and generates the corresponding alert.
This confirms that:
- The file path in the agent configuration is correct.
- The agent is monitoring that file.
- The permissions are correct.
- The volume/file is accessible from both sides.
What we observe is that Wazuh only detects changes if the file is modified manually, but not when n8n writes to it, even though the data appears correctly in the file content.
Kind regards.
Javier Adán Méndez Méndez
This behavior usually comes from how n8n writes the file, not from the Wazuh path/permissions:
-
Make sure each event is written as a complete line and ends with a newline (\n) (one event per line / JSONL). If the last line isn’t terminated, wazuh-logcollector may not ingest it until another change happens (your “manual edit” effect).
-
Ensure n8n appends to the same file (no truncate/overwrite/atomic replace). If the file is being replaced, consider monitoring with a wildcard in <localfile> so Wazuh can re-match the file.
-
If you restarted components during tests, review <only-future-events> (set to no if you need it to read events written while logcollector was stopped). ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
Quick validation: try echo "test\n" >> /path/to/file (must include the newline). If Wazuh ingests that but not n8n writes, it confirms it’s the writer format/mode.