Rsyslog central server -> forward logs to wazuh
83 views
Skip to first unread message
Smiljan Veber
Oct 16, 2025, 11:31:52 AMOct 16
to Wazuh | Mailing List
Hello
I have a problem with my wazuh-rsyslog setup setup.
At one site I already have rsyslog server, which gather all the logs from varius Cisco devices.
Its stores its logs into
$template remote-incoming-logs,"/var/log/centralized/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%-%PROGRAMNAME%.log"
So from what information I could gather, what I did, is installed Wazuh agent onto rsyslog and added into ossec.conf
<localfile>
<log_format>syslog</log_format>
<location>/var/log/centralized/*.log</location>
</localfile>
I also tried without *.log, but the result is the same I am not receiving any logs into wazuh through agent.
I tried enabling archives and also there -> no logs from devices.
Anyone has any idea what should i change to get this configuration working ?
Olamilekan Abdullateef Ajani
Oct 16, 2025, 12:56:40 PMOct 16
to Wazuh | Mailing List
Hello,
The reason why the agent did not capture any log is because of the way you have defined the location tag. I see from the log reference you shared that the logs are stored in
/var/log/centralized/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%-%PROGRAMNAME%.log"
Which means there is another folder after centralized called HOSTNAME, where the actual logs reside. Your local file should like below:
<localfile>
<location> /var/log/centralized/*/*.log</location>
<log_format>syslog</log_format>
</localfile>
Which means there is another folder after centralized called HOSTNAME, where the actual logs reside. Your local file should like below:
<localfile>
<location> /var/log/centralized/*/*.log</location>
<log_format>syslog</log_format>
</localfile>
You cannot use a single wildcard to match the log and the directory, since the path name is not assured in term of the name, you can use the wildcard. I just tested this and it works.
Please let me know if you require further assistance on this.
Ref:
Smiljan Veber
Oct 22, 2025, 5:49:36 AMOct 22
to Wazuh | Mailing List
Hello I tried the above, copied in the agent ossec.conf, but I am still not gettings logs over to the wazuh. Or I am looking in the wrong directions.
I enabled logall, and I am checking archives.log and archive.json
Should I Enable something else on the wazuh itself ?
I have bunch of devices on the syslog server generating logs
under /var/log/centralized i have lets say folder :
10.0.102.1
And then in this folder 2025-10-22-241.log
2025-10-22T06:29:16.261607+00:00 10.0.102.1 241: 000244: Oct 22 08:29:15.267: %SEC-6-IPACCESSLOGP: list Outside-IN-ACL denied tcp 223.93.8.66(47208) -> 193.77.101.111(22), 1 packet
For which if I input it in the ruleset I get the decoding and rules matched but I dont see this log anywhere in wazuh, only general syslog logs.
Please if you have any idea , what I am doing wrong :).
četrtek, 16. oktober 2025 ob 18:56:40 UTC+2 je oseba Olamilekan Abdullateef Ajani napisala:
Olamilekan Abdullateef Ajani
Oct 22, 2025, 9:46:27 AMOct 22
to Wazuh | Mailing List
Hello,
The problem seem to be from your setup, how you are reading the logs. The archives you have enabled is enough and if you cannot see the logs there, it means the agent is not reading the logs.
From your setup, it seem you have multiple folders in the directory centralized directory with multiple log files. The configuration I shared earlier should work because I just tested it again.
The issue seem from your log setup.
The issue seem from your log setup.
Can we do a test, monitor a file using the absolute path and check for output in the archives.json file.
<localfile>
<location> /var/log/centralized/10.0.102.1/2025-10-22-241.log</location>
<localfile>
<location> /var/log/centralized/10.0.102.1/2025-10-22-241.log</location>
<log_format>syslog</log_format>
</localfile>
Please let me know what you find.
</localfile>
Please let me know what you find.
Smiljan Veber
Nov 7, 2025, 4:01:00 AM (4 days ago) Nov 7
to Wazuh | Mailing List
Hello, sorry for late reply, had other obligations.
I tested this a bit more
And If I set it the way you described above
/var/log/centralized/10.0.102.1/2025-11-06.log -> i see logs on archive.json and on wazuh dashboard ( when they trigger cisco decoder/alert).
Then I trield setting it to
And I also see logs on archive.json and on wazuh dashboard ( when they trigger cisco decoder/alert), even when the new log is created like 2025-11-07.log
But if i Set <location>/var/log/centralized/*/*.log</location> i dont get any logs to wazuh.
I am thinking, since some devices in centralized have IP like above and # have hostnames like HQASA5540-5, could that be a problem ?
Do you know if for now I can set multiple locations for files, like ?
<location>/var/log/centralized/10.0.102.1/*.log</location>
<location>/var/log/centralized/10.0.88.1/*.log</location>
<log_format>syslog</log_format>
<log_format>syslog</log_format>
Or do I need to put every in its one line ?
sreda, 22. oktober 2025 ob 15:46:27 UTC+2 je oseba Olamilekan Abdullateef Ajani napisala:
Reply all
Reply to author
Forward
0 new messages