I have checked Wazuh dashboard: agent >> configuration >> Log collection
I see that Wazuh receives these file, and my tag is in place: vcloud: $(log)
And that is what I see:
{
"logcollector-localfile": {
"localfile": [
{
"logformat": "command",
"command": "df -P",
"alias": "df -P",
"ignore_binaries": "no",
"target": [
"agent"
],
"frequency": 360
},
{
"logformat": "full_command",
"command": "netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d",
"alias": "netstat listening ports",
"ignore_binaries": "no",
"target": [
"agent"
],
"frequency": 360
},
{
"logformat": "full_command",
"command": "last -n 20",
"alias": "last -n 20",
"ignore_binaries": "no",
"target": [
"agent"
],
"frequency": 360
},
{
"file": "/var/ossec/logs/active-responses.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
},
{
"file": "/var/log/auth.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
},
{
"file": "/var/log/dpkg.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
},
{
"file": "/var/log/kern.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
},
{
"file": "/var/log/td-agent/005-fluentd_vcloud.202309271955.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"out_format": [
{
"target": "all",
"format": "vcloud: $(log)"
}
]
},
{
"file": "/var/log/td-agent/005-fluentd_vcloud.202309272000.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"out_format": [
{
"target": "all",
"format": "vcloud: $(log)"
}
]
},
{
"file": "/var/log/td-agent/005-fluentd_vcloud.202309272005.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"out_format": [
{
"target": "all",
"format": "vcloud: $(log)"
}
]
},
{
"file": "/var/log/td-agent/005-fluentd_vcloud.202309272010.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"out_format": [
{
"target": "all",
"format": "vcloud: $(log)"
}
]
}
],
"localfile-logs": [
{
"file": "/var/ossec/logs/active-responses.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
},
{
"file": "/var/log/auth.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
},
{
"file": "/var/log/dpkg.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
},
{
"file": "/var/log/kern.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
]
},
{
"file": "/var/log/td-agent/005-fluentd_vcloud.202309271955.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"out_format": [
{
"target": "all",
"format": "vcloud: $(log)"
}
]
},
{
"file": "/var/log/td-agent/005-fluentd_vcloud.202309272000.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"out_format": [
{
"target": "all",
"format": "vcloud: $(log)"
}
]
},
{
"file": "/var/log/td-agent/005-fluentd_vcloud.202309272005.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"out_format": [
{
"target": "all",
"format": "vcloud: $(log)"
}
]
},
{
"file": "/var/log/td-agent/005-fluentd_vcloud.202309272010.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"out_format": [
{
"target": "all",
"format": "vcloud: $(log)"
}
]
}
],
"localfile-windowsevent": [],
"localfile-commands": [
{
"logformat": "command",
"command": "df -P",
"alias": "df -P",
"ignore_binaries": "no",
"target": [
"agent"
],
"frequency": 360
},
{
"logformat": "full_command",
"command": "netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d",
"alias": "netstat listening ports",
"ignore_binaries": "no",
"target": [
"agent"
],
"frequency": 360
},
{
"logformat": "full_command",
"command": "last -n 20",
"alias": "last -n 20",
"ignore_binaries": "no",
"target": [
"agent"
],
"frequency": 360
}
]
},
"logcollector-socket": {}
}
среда, 27 сентября 2023 г. в 22:23:01 UTC+2, MajorFudge: