Logs from apache2 not showing
279 views
Skip to first unread message
Braulio Rodríguez
Jun 14, 2023, 10:54:25 AM6/14/23
to Wazuh mailing list
Hello,
I was trying to display the logs of an agent with apache2 in Wazuh. Specifically accsess.log, which seems to be default in ossec.conf, however the logs are not showing up in the dashboard and also not in the agents "Configuration -> Log collection" section. The access.log is updated correctly and I can see the changes from the server with apache2, the other logs are displayed normally in the dashboard and even appear in the Log collection section. Could you help me to find a solution please?
I was trying to display the logs of an agent with apache2 in Wazuh. Specifically accsess.log, which seems to be default in ossec.conf, however the logs are not showing up in the dashboard and also not in the agents "Configuration -> Log collection" section. The access.log is updated correctly and I can see the changes from the server with apache2, the other logs are displayed normally in the dashboard and even appear in the Log collection section. Could you help me to find a solution please?
Marcos Darío Buslaiman
Jun 14, 2023, 12:13:18 PM6/14/23
to Wazuh mailing list
Hi Braulio,
Thanks for using Wazuh!
If you don't see the log on the agent configuration --> Log collection --> Logs, seems that log is not configured to be monitored, so you need to add this log to Agent config file "/var/ossec/etc/ossec.conf", so edit the config file and add the following:
systemctl restart wazuh-manager
Please, let me know if you have any doubts or questions.
Thanks for using Wazuh!
If you don't see the log on the agent configuration --> Log collection --> Logs, seems that log is not configured to be monitored, so you need to add this log to Agent config file "/var/ossec/etc/ossec.conf", so edit the config file and add the following:
<localfile>
<location>/var/log/apache2/access.log</location>
<log_format>syslog</log_format>
</localfile>
<location>/var/log/apache2/access.log</location>
<log_format>syslog</log_format>
</localfile>
Then you will need to restart the agent:
systemctl restart wazuh-agent
systemctl restart wazuh-agent
Here you will find more information about this capability: Log data collection
With this configuration, the agent should be sending the logs to the manager. In order to check this, we can enable the archives in the manager so you will need to open /var/ossec/etc/ossec.conf and set the logall tag on yes, take into account that this will be generated a lot of information due to you will be logging all the events of all the agent that are connected to this Wazuh Manager, so once you have checked set this back to "no" in order to avoid disk spaces issues.
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
Then you will need to restart the manager:
systemctl restart wazuh-manager
Now, access logs should appear in /var/ossec/logs/archives/archives.log, so you can look for the access.log on the archives by doing this:
grep access.log /var/ossec/logs/archives/archives.log
If you can see your access.log on archives.log, you will need to validate if that logs trigger some alerts, to check that you can use the logtest tool.
On the Wazuh Manager execute this:
/var/ossec/bin/wazuh-logtest and then paste the log line that you have found on the archives.log and you can observe is some alerts is generated.
If you don't get any alerts, it is because your log has not matched with any of Wazuh's build-in rules and you will need to create some custom rules.
Ref Doc.
Regards
Message has been deleted
Braulio Rodríguez
Jun 14, 2023, 6:30:02 PM6/14/23
to Wazuh mailing list
Thank you very much for your help, I was able to solve the problem.
Jeff Dyke
Jun 14, 2023, 6:38:03 PM6/14/23
to Braulio Rodríguez, Wazuh mailing list
Not involved in the thread, but many of the worst solutions ever on mailing lists...are b/c they are indexed by google is "OK, I fixed it", with no explanation.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b5d2a42b-bd2c-406e-96f7-6f272dd73ff0n%40googlegroups.com.
Marcos Darío Buslaiman
Jun 15, 2023, 5:03:58 PM6/15/23
to Wazuh mailing list
Hi Jeff,
Are you having the same issue?
Please let us know more about it to help you.
Regards.
Are you having the same issue?
Please let us know more about it to help you.
Regards.
Reply all
Reply to author
Forward
0 new messages