Wazuh agent not sending Json file logs to Wazuh manager

[Akuzike Nchembe]

Hi everyone. I have a problem with my Wazuh configurations, I have configured my Wazuh server to be reading json files through the log collector and have also set up the rules to trigger the alerts. The problem is that the logs are to being sent to the server, even though the wazuh agent is able to analyze the file.

 

The above screenshot depicts the wazuh agent logs analyzing the file.

I have tested the rule configured and it works.

[Pedro Nicolás Gomez]

Hi  Akuzike Nchembe,

I have made a test based on the screenshots you shared and in my case it is working correctly.

In a windows agent I monitor the json file:

<localfile>

    <location>C:\Users\54358\Desktop\test-json.json</location>

    <log_format>json</log_format>

  </localfile>

In the manager I have created a test rule that checks rule.group and rule.level:

<group name="test">

    <rule id="100002" level="5">

        <field name="rule.groups">downloads</field>

        <field name="rule.level">5</field>

        <description>Test rule - $(path)</description>

    </rule>

</group>

Restart agent and manager

In the monitored file C:\Users\54358\Desktop\test-json.json I paste the test json you shared in the image (a little reduced to make the test easier).

{"dhost": "dhost", "duser": "duser", "guid": "guid", "description": "Google Chrome download", "path": "C:\\Users\\user\\Downloads\\VSCodeUserSetup-x64-1.89.1.exe", "rule": {"level": 5, "groups": "downloads"}, "time": "2024-05-16T14:16:33.867282Z", "mime_type": "application/x-msdownload", "referrer": "any-url", "download_chain": ["download_chain"]}

And I see that in the alerts.json the alert is being generated correctly:

{"timestamp":"2024-05-23T14:33:05.233+0000","rule":{"level":5,"description":"Test rule - C:\\Users\\user\\Downloads\\VSCodeUserSetup-x64-1.89.1.exe","id":"100002","firedtimes":4,"mail":false,"groups":["test"]},"agent":{"id":"001","name":"LAPTOP-SI21F60O","ip":"192.168.0.4"},"manager":{"name":"vagrant"},"id":"1716474785.93524","full_log":"{\"dhost\":\"dhost\",\"duser\":\"duser\",\"guid\":\"guid\",\"description\":\"Google Chrome download\",\"path\":\"C:\\\\Users\\\\user\\\\Downloads\\\\VSCodeUserSetup-x64-1.89.1.exe\",\"rule\":{\"level\":5,\"groups\":\"downloads\"},\"time\":\"2024-05-16T14:16:33.867282Z\",\"mime_type\":\"application/x-msdownload\",\"referrer\":\"any-url\",\"download_chain\":[\"download_chain\"]}","decoder":{"name":"json"},"data":{"dhost":"dhost","duser":"duser","guid":"guid","description":"Google Chrome download","path":"C:\\Users\\user\\Downloads\\VSCodeUserSetup-x64-1.89.1.exe","rule":{"level":"5","groups":"downloads"},"time":"2024-05-16T14:16:33.867282Z","mime_type":"application/x-msdownload","referrer":"any-url","download_chain":["download_chain"]},"location":"C:\\Users\\54358\\Desktop\\test-json.json"}

Could you share your file configuration in the agent and the rule you are using?

[Shaikh Krunal]

I also have exact same problem