Issue with out_format in localfile

[rana chand]

Hi All,

I am trying to use out_format to add additional information to the log.

Here is the configuration on the agent side:

<localfile>

    <log_format>syslog</log_format>

    <location>/var/log/mongodb/mongodb.log</location>

    <out_format>$(timestamp %Y-%m-%dT%H:%M:%S) MongoDB:  $(log)</out_format> </localfile>

But it is not showing any changes on the logs that are reaching the Manager(i.e., Archives log file).

Output in the archives.log before adding the out_format:

2020 Oct 28 03:52:33 (nineleaps-ThinkPad-L470) any->/var/log/mongodb/mongodb.log 2020-10-28T09:22:32.057+0530 I NETWORK  [listener] connection accepted from 127.0.0.1:41368 #3 (1 connection now open)

Output in the archives.log aftre adding the out_format:

2020 Oct 28 03:57:33 (nineleaps-ThinkPad-L470) any->/var/log/mongodb/mongodb.log 2020-10-28T09:27:32.057+0530 I NETWORK  [listener] connection accepted from 127.0.0.1:41368 #4 (1 connection now open)

As you can see there is no change in the log content.

Can someone guide me in the right way of achieving this.

Regards,

Rana

[Jonathan Martín Valera]

Hi rana chand,

In my case, I just tried it (wazuh-manager 3.13.2) and it worked well. Let's see where the problem might be.

Which version manager and agents are you using?

Here I show you the process I have followed:

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

CASE 1: without out_format

- I have added the following in the agent's ossec.conf and restarted wazuh-agent

<localfile>
    <log_format>syslog</log_format>
    <location>/var/log/mongodb/mongodb.log</location>

</localfile>

systemctl restart wazuh-agent

- I have generated the event in the wazuh-agent and I have checked the content of the event in the wazuh-manager:

In wazuh-manager side

tail -f tail -f /var/ossec/logs/archives/archives.log | grep "/var/log/mongodb/mongodb.log"

In wazuh-agent side:

echo "2020-10-27T11:30:03.198+0530 I NETWORK  [listener] connection accepted from 127.0.0.1:36556 #1 (1 connection now open)" >> /var/log/mongodb/mongodb.log

After this, I have checked that the event received is:

2020 Oct 28 11:39:13 (centos8_agent) any->/var/log/mongodb/mongodb.log 2020-10-27T11:30:03.198+0530 I NETWORK  [listener] connection accepted from 127.0.0.1:36556 #1 (1 connection now open)

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

CASE  2: with out_format

- I have updated the above localfile (added in CASE 1) with the following content and restarted wazuh-agent:

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/mongodb/mongodb.log</location>

    <out_format>$(timestamp) $(hostname) mongodb: $(log)</out_format>
  </localfile>

systemctl restart wazuh-agent

- I have generated the event in the wazuh-agent and I have checked the content of the event in the wazuh-manager:

In wazuh-manager side

tail -f tail -f /var/ossec/logs/archives/archives.log | grep "/var/log/mongodb/mongodb.log"

In wazuh-agent side:

echo "2020-10-27T11:30:03.198+0530 I NETWORK  [listener] connection accepted from 127.0.0.1:36556 #1 (1 connection now open)" >> /var/log/mongodb/mongodb.log

After this, I have verified that the event received is:

2020 Oct 28 11:40:58 (centos8_agent) any->/home/vagrant/test/test.log Oct 28 07:40:58 agent1 mongodb: 2020-10-27T11:30:03.198+0530 I NETWORK  [listener] connection accepted from 127.0.0.1:36556 #1 (1 connection now open)

As you can see, the content of out_format has been added to the content of the event correctly. If we test this in ossec-logtest tool:

[root@manager]# /var/ossec/bin/ossec-logtest

2020/10/28 11:32:53 ossec-testrule: INFO: Started (pid: 7091).
ossec-testrule: Type one log per line.

Oct 28 07:40:58 agent1 mongodb: 2020-10-27T11:30:03.198+0530 I NETWORK  [listener] connection accepted from 127.0.0.1:36556 #1 (1 connection now open)

**Phase 1: Completed pre-decoding.
       full event: 'Oct 28 07:40:58 agent1 mongodb: 2020-10-27T11:30:03.198+0530 I NETWORK  [listener] connection accepted from 127.0.0.1:36556 #1 (1 connection now open)'
       timestamp: 'Oct 28 07:40:58'
       hostname: 'agent1'
       program_name: 'mongodb'
       log: '2020-10-27T11:30:03.198+0530 I NETWORK  [listener] connection accepted from 127.0.0.1:36556 #1 (1 connection now open)'

**Phase 2: Completed decoding.
       No decoder matched.

We can see that we have the complete log in the pre-decoding log field in order to work with the rules.

Try it and tell me.

Best regards.

[rana chand]

Hi Jonathan,

In my case, I tried with (wazuh-agent 3.12.0) in the similar way but it didn't worked.

Both my wazuh manager and agent are of 3.12.0 version.

I can't change the version of the Wazuh manager as 3.13.2 does not kibana plugin for Kibana 7.4.2.

Is it possible to use different versions for Wazuh Manager and Wazuh agent like Wazuh Manager with 3.12.0 and Wazuh agent with 3.13.2 versions.

Regards,

Rana.

[Jonathan Martín Valera]

Hi Chandrashekhar Magi,

Yes, on further investigation, it appears that there was a bug and it was fixed in version 3.12.3 (see issue here https://github.com/wazuh/wazuh/issues/4877).

> Is it possible to use different versions for Wazuh Manager and Wazuh agent like Wazuh Manager with 3.12.0 and Wazuh agent with 3.13.2 versions.

Yes, wazuh-manager and wazuh-agent/s can have different versions as long as the wazuh-manager's version is equal or higher than the wazuh-agent's.

The solution would be to upgrade at least to 3.12.3.

Sorry for the inconveniences.

Best regards.