Unable to ingest IIS logs

[Ryan P]

I'm having an issue collecting IIS logs from a Windows 2019 instance using the Wazuh Agent V4.3.6 to Wazuh Server V4.3.6.

This is the config section:
  <localfile>
    <location>D:\Logs\IIS Log Files\W3SVC1\*.log</location>
    <log_format>iis</log_format>
    <only-future-events>no</only-future-events>
  </localfile>

This is what I see in ossec.log (with debug turned on)

2022/07/29 09:00:26 wazuh-agent[12080] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from D:\Logs\IIS Log Files\W3SVC1\u_ex220122.log
2022/07/29 09:00:26 wazuh-agent[12080] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from D:\Logs\IIS Log Files\W3SVC1\u_ex220123.log
2022/07/29 09:00:26 wazuh-agent[12080] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from D:\Logs\IIS Log Files\W3SVC1\u_ex220124.log

All of those log files contain logs.

IIS is configured to  log in W3C format, UTF-8 Encoding with hourly file rollover.

Any help would be greatly appreciated.

[moosemaimer]

Check your settings to make sure you're not ignoring .log$ by default.

[Ryan P]

Where would I check that?

[Ryan P]

I found this line and removed the .log$ entry so the line now looks like this.

 <ignore type="sregex">.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

However, I'm still seeing the same issue. The files are being read by the system but no logs are processed.

Appreciate any guidance you can provide.

Ryan

On Friday, July 29, 2022 at 3:43:50 PM UTC-4 moosemaimer wrote:

[Ryan P]

Is anyone able to help with this issue?