Collect logs from TMG

[Nataliia]

Hello!

I want to collect logs from Microsoft Forefront Threat Management Gateway. I can setup TMG for collecting logs to determine directory on the TMG server. 

Tell, please, how to setup Wazuh agent for sending logs from specified directory to Wazuh manager?

[Mauricio Ruben Santillan]

Hello Nataliia,

Thanks for using Wazuh!

In order to collect logs from custom log files, you need to make use of Wazuh's localfile (log collector) module.
You can find related information here: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html#log-collection

And here's an example of such module:

<ossec_config>

...

  <localfile>

    <location>C:\logtest\log.txt</location>

    <log_format>syslog</log_format>

  </localfile>

</ossec_config>

This module would ingest all events contained in C:\logtest\log.txt. Make sure to set it up inside the <ossec_config> tags.

Also, most probably you will also need to create some custom decoders and rules for your events.

I hope this helps! Let me know how everything goes!

[Nataliia]

Thank you!

четверг, 11 августа 2022 г. в 19:41:23 UTC+3, mauricio....@wazuh.com:

[Nataliia]

Hi there!

I added location to localfile:

<localfile>

    <location>D:\Logs\*</location>

    <log_format>syslog</log_format>

  </localfile>

But in the archives.log I see only EventChannel logs, I don't see any file from D:\Logs

Even when I set location to definite file - D:\Logs\ISALOG_20220818_WEB_000.w3c - I still don't see any logs besides of EventChannel logs.

Help me to configure localfile correctly, please.

пятница, 12 августа 2022 г. в 13:59:11 UTC+3, Nataliia: