Wazuh Agent on Windows Server 2016 not reading IIS logs (No "Analyzing file" in ossec.log)

43 views
Skip to first unread message

Third Nht

unread,
Jan 26, 2026, 3:10:55 AM (7 days ago) Jan 26
to Wazuh | Mailing List

hi everybody

I'm having trouble getting my Wazuh Agent to read IIS logs on Windows Server 2016 Standard.

The agent is connected and successfully sending Windows Event logs (Application, Security, System), but it completely ignores the IIS log files. I've checked ossec.log and there is no mention of "Analyzing file" for the IIS path at all.

My Configuration:
<localfile>
    <location>C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log</location>
    <log_format>iis</log_format>
</localfile>

What I've tried so far:
Changed log_format to syslog.
Specified the exact path (e.g., W3SVC1\u_ex260126.log).
I checked the security tab for the log files. The SYSTEM account (which the agent runs under) has the exact same permissions as the Administrator (Full Control/Read)  

Third Nht

unread,
Jan 26, 2026, 3:35:47 AM (7 days ago) Jan 26
to Wazuh | Mailing List
  Quick update on my issue: I’ve managed to get the IIS logs flowing into the dashboard, but only by hardcoding the exact filename in the configuration.
  <location>C:\inetpub\logs\LogFiles\W3SVC1\u_ex260126.log</location>

This does NOT work (No "Analyzing file" in ossec.log):

  • C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log

  • C:\inetpub\logs\LogFiles\W3SVC1\*.log

  • C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log


    ในวันที่ วันจันทร์ที่ 26 มกราคม ค.ศ. 2026 เวลา 15 นาฬิกา 10 นาที 55 วินาที UTC+7 Third Nht เขียนว่า:
    Message has been deleted

    Third Nht

    unread,
    Jan 26, 2026, 10:53:36 PM (7 days ago) Jan 26
    to Wazuh | Mailing List
    thanks for the answer
    I already tried 

    C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log
    C:\inetpub\logs\LogFiles\W3SVC1\*.log

    Is it possible that the issue is down to these two reasons?  
    1.Windows OS Hardening / Security Restrictions: Could there be a specific security policy or a low-level protection mechanism in Windows Server 2016 that prevents the Agent from "listing" or "scanning" files via wildcards? (Note: SYSTEM already has Full Control via icacls).

    2.Compatibility / Agent Limitations: Is this a known limitation for this specific OS version or Agent build where Wildcard Expansion fails within the Logcollector module?

    P.S. I'm a fresh grad and just starting out in this kind of work. Sorry if I missed anything basic
    ในวันที่ วันจันทร์ที่ 26 มกราคม ค.ศ. 2026 เวลา 21 นาฬิกา 47 นาที 47 วินาที UTC+7 Francis Timilehin Jeremiah เขียนว่า:
    Hello, it's not working because you are using two wildcards. Do something like  C:\inetpub\logs\LogFiles\W3SVC1\*.log

    Francis Timilehin Jeremiah

    unread,
    Jan 28, 2026, 7:22:33 AM (5 days ago) Jan 28
    to Wazuh | Mailing List
    Hello, I tested multiple cases, and I can see that wildcards are not working regardless of the log format. Let me investigate more and open an issue about this. 

    Francis Timilehin Jeremiah

    unread,
    Jan 29, 2026, 10:04:16 AM (4 days ago) Jan 29
    to Wazuh | Mailing List
    Hi, the issue seems to be because your Windows endpoint is not showing the full file extension, enable it and it should work. When manually testing, and you create a new text file, Windows adds a .txt to the end of the file causing log collection not to work. Mine works as expected now using your same configuration

    <localfile>
        <location>C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log</location>
        <log_format>iis</log_format>
    </localfile>

    From my logs, I can see:

    2026/01/29 06:54:16 wazuh-agent: INFO: (1957): New file that matches the 'C:\inetpub\logs\LogFiles\W3SVC*\*.log' pattern: 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex1.log'.
    2026/01/29 06:54:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
    2026/01/29 06:54:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
    2026/01/29 06:54:16 wazuh-agent: INFO: (1957): New file that matches the 'C:\inetpub\logs\LogFiles\W3SVC*\*.log' pattern: 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex2.log'.
    2026/01/29 06:54:16 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini'
    2026/01/29 06:54:16 wazuh-agent: INFO: (1957): New file that matches the 'C:\inetpub\logs\LogFiles\W3SVC*\*.log' pattern: 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex3.log'.

    Reply all
    Reply to author
    Forward
    0 new messages