Rsyslog central server -> forward logs to wazuh

[Smiljan Veber]

Hello

I have a problem with my wazuh-rsyslog setup setup.

At one site I already have rsyslog server, which gather all the logs from varius Cisco devices.

Its stores its logs into  

 $template remote-incoming-logs,"/var/log/centralized/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%-%PROGRAMNAME%.log"

So from what information I could gather, what I did, is installed Wazuh agent onto rsyslog and added into ossec.conf

<localfile>

<log_format>syslog</log_format>

<location>/var/log/centralized/*.log</location>

</localfile>

I also tried without *.log, but the result is the same I am not receiving any logs into wazuh through agent.

I tried enabling archives and also there -> no logs from devices.

Anyone has any idea what should i change to get this configuration working ?

[Olamilekan Abdullateef Ajani]

Hello,

The reason why the agent did not capture any log is because of the way you have defined the location tag. I see from the log reference you shared that the logs are stored in  /var/log/centralized/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%-%PROGRAMNAME%.log"
Which means there is another folder after centralized called HOSTNAME, where the actual logs reside. Your local file should like below:

<localfile>
    <location> /var/log/centralized/*/*.log</location>
    <log_format>syslog</log_format>
  </localfile>

You cannot use a single wildcard to match the log and the directory, since the path name is not assured in term of the name, you can use the wildcard. I just tested this and it works.

Please let me know if you require further assistance on this.

Ref:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#location