Remote Syslog error

[Marsan]

Hello,
I am trying to get the logs by Remote Syslog. I have changed the ossec.conf as it says in the documentation. My output:
Nov 26, 2021 @ 13:39:22.000 ossec-removed INFO Remote syslog allowed from: 'x.x.x.x.x/x'
Nov 26, 2021 @ 13:39:22.000 ossec-remoted INFO Remote syslog allowed from: 'x.x.x.x.x.x/x'
Nov 26, 2021 @ 13:39:22.000 ossec-remoted INFO Started (pid: 3509). Listening on port 1513/UDP (syslog).
November 26, 2021 @ 13:39:22,000 ossec-remoted INFO Started (pid: 3512). Listening on port 1514/TCP (secure).
As I haven't done the decoders yet, I have enabled "logall_json" to see the logs I receive before being processed, but I don't see anything. Can someone help me ?

[Juan Cabrera]

Hello Marcelo,

What version of Wazuh are you using? Once the logall_json option is activated, you must restart Wazuh for the configuration change to be applied.

On the other hand, to check that the logs are being received correctly, you should view them in the /var/ossec/logs/archives/archives.log or /var/ossec/logs/archives/archives/archives.json file. Can you confirm for me that the logs are getting to the manager ?

Regards,
Juan Cabrera

​

[Marsan]

Thanks Juan. I was looking in the wrong place. I can see the logs in the "archives.json" file, but not in the "archives.log" file that you also told me about. Why could this be?

[Juan Cabrera]

Hello,

You must enable it in the ossec.conf file of your manager.

In the following configuration block:

<ossec_config>
  <global>
    ...
    <logall>yes</logall>
    <logall_json>yes</logall_json>
    ...
  </global>

Set logall to yes. This toggles whether to store events even when they do not trip a rule with results written to /var/ossec/logs/archives/archives.log.

Regards,
Juan Cabrera

​

[Marsan]

Thank you Juan! Everything is working fine!