Configure endpoint monitor
35 views
Skip to first unread message
Malakay
Jan 22, 2026, 9:45:23 AMJan 22
to Wazuh | Mailing List
Hello everyone, I've been trying to configure an API endpoint check in Wazuh 4.14.1 rc2 for a few days but unsuccessfully.
xmllint --noout /var/ossec/etc/ossec.conf does not return errors and in ossec.log I only see this:
I am running Ubuntu 24.04.3 LTS both in the Server and agent. They are connected and active and see each other without problems.
I try to monitor the URL with a script like this:
#!/bin/bash
TS=$(date -Iseconds)
STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://some_url/health/check)
echo "$TS status=$STATUS endpoint=/health" >> /var/log/api_monitor.log
which I call from an ad-hoc api-monitor.service placed in /etc/systemd/system with this content:
TS=$(date -Iseconds)
STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://some_url/health/check)
echo "$TS status=$STATUS endpoint=/health" >> /var/log/api_monitor.log
which I call from an ad-hoc api-monitor.service placed in /etc/systemd/system with this content:
[Unit]
Description=API Health Check
[Service]
Type=oneshot
ExecStart=/bin/bash /var/ossec/active-response/bin/api_monitor.sh
[Install]
WantedBy=multi-user.target
The service executes periodically thanks to the api-monitor.service in the same directory with the following content:
Description=API Health Check
[Service]
Type=oneshot
ExecStart=/bin/bash /var/ossec/active-response/bin/api_monitor.sh
[Install]
WantedBy=multi-user.target
The service executes periodically thanks to the api-monitor.service in the same directory with the following content:
[Unit]
Description=Run API health check every minute
[Timer]
OnBootSec=30s
OnUnitActiveSec=60s
Unit=api-monitor.service
[Install]
WantedBy=timers.target
The log file shows me lines every minute, so this is working fine, but the Wazuh agent don't send the data to the manager. This is the relevant block in /var/ossec/ossec.conf:
<localfile>
<log_format>journald</log_format>
<location>SYSLOG_IDENTIFIER=api_monitor</location>
</localfile>
I'm using journald to get the data, but I see the following error when checking the status with journalctl -u wazuh-agent -n 200 --no-pager:
2026/01/22 14:03:26 wazuh-logcollector[125157] localfile-config.c:586 at Read_Localfile(): WARNING: (8017): Invalid location value 'SYSLOG_IDENTIFIER=api_monitor' when using 'journald' as 'log_format'. Default value will be used.
Which is strange because journalctl -t api_monitor -n 20 -o verbose shows: SYSLOG_IDENTIFIER=api_monitor
MESSAGE=status=200 endpoint=/healthDescription=Run API health check every minute
[Timer]
OnBootSec=30s
OnUnitActiveSec=60s
Unit=api-monitor.service
[Install]
WantedBy=timers.target
The log file shows me lines every minute, so this is working fine, but the Wazuh agent don't send the data to the manager. This is the relevant block in /var/ossec/ossec.conf:
<localfile>
<log_format>journald</log_format>
<location>SYSLOG_IDENTIFIER=api_monitor</location>
</localfile>
I'm using journald to get the data, but I see the following error when checking the status with journalctl -u wazuh-agent -n 200 --no-pager:
2026/01/22 14:03:26 wazuh-logcollector[125157] localfile-config.c:586 at Read_Localfile(): WARNING: (8017): Invalid location value 'SYSLOG_IDENTIFIER=api_monitor' when using 'journald' as 'log_format'. Default value will be used.
Which is strange because journalctl -t api_monitor -n 20 -o verbose shows: SYSLOG_IDENTIFIER=api_monitor
xmllint --noout /var/ossec/etc/ossec.conf does not return errors and in ossec.log I only see this:
wazuh-logcollector[119146] read_journald.c:169 at read_journald(): DEBUG: (9008): Reading from journal: 'Jan 22 12:16:32 wazuh-agent systemd[1]: Starting api-monitor.service - API Health Check...'.
2026/01/22 13:16:33 wazuh-logcollector[119146] read_journald.c:169 at read_journald(): DEBUG: (9008): Reading from journal: 'Jan 22 12:16:32 wazuh-agent systemd[1]: api-monitor.service: Deactivated successfully.'.
2026/01/22 13:16:33 wazuh-logcollector[119146] read_journald.c:169 at read_journald(): DEBUG: (9008): Reading from journal: 'Jan 22 12:16:32 wazuh-agent systemd[1]: Finished api-monitor.service - API Health Check.'.
But nothing is sent to the manager. I've reviewed the permissions and ownership of files and are correct, also used logger -t api_monitor "status=500 endpoint=/health final-test" to write lines in the api-monitor.log but they don't trigger the wazuh agent to send the status to the server.
Also tried to reference the /var/log/api_monitor.log in ossec.conf directly with <log_format>generic</log_format> and <log_format>plain</log_format> but it does not work either. I am lost right now after having tried so many things.
2026/01/22 13:16:33 wazuh-logcollector[119146] read_journald.c:169 at read_journald(): DEBUG: (9008): Reading from journal: 'Jan 22 12:16:32 wazuh-agent systemd[1]: api-monitor.service: Deactivated successfully.'.
2026/01/22 13:16:33 wazuh-logcollector[119146] read_journald.c:169 at read_journald(): DEBUG: (9008): Reading from journal: 'Jan 22 12:16:32 wazuh-agent systemd[1]: Finished api-monitor.service - API Health Check.'.
But nothing is sent to the manager. I've reviewed the permissions and ownership of files and are correct, also used logger -t api_monitor "status=500 endpoint=/health final-test" to write lines in the api-monitor.log but they don't trigger the wazuh agent to send the status to the server.
Also tried to reference the /var/log/api_monitor.log in ossec.conf directly with <log_format>generic</log_format> and <log_format>plain</log_format> but it does not work either. I am lost right now after having tried so many things.
Does someone have an idea why I cannot send info about a simple url check to the Wazuh server?
Thanks in advance.
Camila Ayelen Mesa Acevedo
Jan 22, 2026, 12:03:19 PMJan 22
to Wazuh | Mailing List
Hello Malakay,
This error is coming from the Wazuh agent config validation
The localfile block configuration should be:
<localfile>
<location>journald</location>
<log_format>journald</log_format>
</localfile>
You can use this label to filter for a specific service:
Please let me know if this solve the error showed in the agent logs, thanks
This error is coming from the Wazuh agent config validation
The localfile block configuration should be:
<localfile>
<location>journald</location>
<log_format>journald</log_format>
</localfile>
You can use this label to filter for a specific service:
<filter field="_SYSTEMD_UNIT">^XXXXX$</filter>
Here are more details that can be useful
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/journald.html#journald-log-collection
Here are more details that can be useful
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/journald.html#journald-log-collection
Please let me know if this solve the error showed in the agent logs, thanks
Camila Ayelen Mesa Acevedo
Jan 22, 2026, 12:03:20 PMJan 22
to Wazuh | Mailing List
Hello Malakay,
This error is coming from the Wazuh agent config validation
The localfile block configuration should be:
<localfile>
<location>journald</location>
<log_format>journald</log_format>
</localfile>
You can add this label to filter for the specific service:
<filter field="_SYSTEMD_UNIT">^XXXXXX$</filter>
Here are more details that can be useful
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/journald.html#journald-log-collection
Please let me know if this solve the error showed in the agent logs, thanks
Best regards
On Thursday, January 22, 2026 at 11:45:23 AM UTC-3 Malakay wrote:
Reply all
Reply to author
Forward
0 new messages