Monitoring IIS logs with wazuh agent

[Kamran arshad]

I  am trying to monitor iis logs with wazuh i have followed the official documentation for that got in touch with wazuh slack community but no resolution they give me some steps that i followed but still no resolution i cant see logs in archive.log by enabling logall features but no logs are there. No errors are there in ossec.log it says file analyze has started . if any help please.                                                                                                                    <localfile> <location>%SystemDrive%\inetpub\logs\LogFiles\W3SVC2\u_ex*.log</location> <log_format>iis</log_format> </localfile>

[Francis Timilehin Jeremiah]

Hello Kamran, use this format  <log_format>syslog</log_format> then restart the Wazuh agent. I hope this helps!

[Kamran arshad]

I have tried this as well but didn't work

[Francis Timilehin Jeremiah]

Hello Kamran, can you share a screenshot of your  %SystemDrive%\inetpub\logs\LogFiles\W3SVC2\ folder? Are the logs JSON or syslog? Also, confirm that new logs are being added to the file(s).

[Bruno Alves]

I use it this way in my environment and it works:

<localfile>
    <location>%SystemDrive%\inetpub\logs\LogFiles\W3SVC2\*.log</location>
    <log_format>syslog</log_format>
</localfile>

But be careful with the number of log files, as if you have more than 200 files the agent may have difficulty reading them.