regarding log issues

[Monesh]

Hello Team, 

Good morning ,i connected my wazuh dashboard with sysmon logs.it went on smoothly at first, recently i found that some processguid id's aren't showing on wazuh but it shows on eventviewer. i think it is dropping logs so can you give me ways to fix this 

[Md. Nazmur Sakib]

Hi Monesh,

I am looking into your query. Please allow me some time.

[Md. Nazmur Sakib]

To determine if Wazuh is dropping events, monitor these files on the Wazuh manager.

/var/ossec/var/run/wazuh-analysisd.state: the variable events_dropped indicates whether events are being dropped due to lack of resources.

Run on the Wazuh manager.

cat /var/ossec/var/run/wazuh-analysisd.state

/var/ossec/var/run/wazuh-remoted.state: the variable discarded_count indicates if messages from the agents were discarded.
Run on the Wazuh manager.

cat /var/ossec/var/run/wazuh-remoted.state

If both of the values are not zero your manager is dropping events.

Next, check the alert’s ossec.log to see if the agent’s event queue is dropping logs.

For this run, you can run this command in PowerShell as administrator on the agent.

Select-String -Path 'C:\Program Files (x86)\ossec-agent\ossec.log' -Pattern 'queue'

If you see no logs about the agent event queue being full, that indicates the agent is not dropping events.


In this case, I believe you do not have the necessary rule to trigger the alerts.

You can follow these documents to add custom rules for your logs for which you want alerts.


Rules Syntax

Regular Expression Syntax

Custom rules

If you need further help on this, let me know your findings.