Hello Marcelo,
What version of Wazuh are you using? Once the logall_json
option is activated, you must restart Wazuh for the configuration change to be applied.
On the other hand, to check that the logs are being received correctly, you should view them in the /var/ossec/logs/archives/archives.log
or /var/ossec/logs/archives/archives/archives.json
file. Can you confirm for me that the logs are getting to the manager ?
Regards,
Juan Cabrera
Hello,
You must enable it in the ossec.conf
file of your manager.
In the following configuration block:
<ossec_config>
<global>
...
<logall>yes</logall>
<logall_json>yes</logall_json>
...
</global>
Set logall
to yes
. This toggles whether to store events even when they do not trip a rule with results written to /var/ossec/logs/archives/archives.log
.
Regards,
Juan Cabrera