Suddenly stopped syslog collect
82 views
Skip to first unread message
ismailctest C
Apr 5, 2023, 10:27:37 PM4/5/23
to Wazuh mailing list
Hi,
Integrated mimecast with python script to collect syslog. (Script & path available in wazuh manager)
It was working & forwarding syslog to wazuh last 3 months without any issue.
Suddenly stopped syslog collection in wazuh on April 1st and mimecast logs are coming to directory also, but not forwarding to wazuh.
Script link given below for ref:
Kindly support on this, what all are the trouble shoot needs to do & how to identify the exact issue.
ismailctest C
Apr 8, 2023, 4:06:21 AM4/8/23
to Wazuh mailing list
Hi,
Please support on this.
Selu López
Apr 10, 2023, 4:27:04 AM4/10/23
to Wazuh mailing list
Hi ismailctest,
Then restart the manager and check this file: /var/ossec/logs/archives/archives.json. If the logs are in archives.json but not in alerts.json, that is simply a ruleset issue and you would need to write new rules or update the ones you have (in etc/rules).
I have a question about this part: Script & path available in wazuh manager. Does it mean you are running the Mimecast script on your Wazuh server? In that case, you might not need to use the syslog forwarder and, instead, you could use the localfile module as shown here.
I assume your Mimecast token hasn't expired since you're still getting its logs in the directory. Could you share the logs of the script itself (not the Mimecast ones) to get more information in case they show any errors? If there are no errors in the script execution, there could still be some reasons behind the error:
- The manager is not receiving the logs → check the rsyslog configuration, check the network messages with tcpdump or telnet + netstat.
- Analysisd is not producing alerts from the input logs → enable archives.
Enabling archives lets Analysisd print everything it analyzes into archives.json, no matter if those logs become alerts. Simply change this setting in ossec.conf:
<ossec_config>
<global>
<logall_json>yes</logall_json>
<ossec_config>
<global>
<logall_json>yes</logall_json>
Then restart the manager and check this file: /var/ossec/logs/archives/archives.json. If the logs are in archives.json but not in alerts.json, that is simply a ruleset issue and you would need to write new rules or update the ones you have (in etc/rules).
Let me know any other information you consider important. I hope you find this useful!
Regards,
Selu.
ismailctest C
Apr 11, 2023, 4:22:22 AM4/11/23
to Wazuh mailing list
Hi,
Tried local file moduler which is not working.
Mimecast generating multiple log file in this directory, not appending all logs into a single file.
Eg: If running script, getting more than 100 log files.
Can we configure local file in this case? We need to collect the logs from all files in a particular directory.
Selu López
Apr 11, 2023, 11:05:01 AM4/11/23
to Wazuh mailing list
Hi ismailctest,
If new log files are created inside the directory, take a look at this documentation on using wildcards for localfile:
However, I see some cons with the script proposed in the Mimecast documentation regarding its use with localfile. For example, you should lower the log_file_threshold variable within the script since localfile only allows the monitoring of 1000 files at a time. In addition, new files created are scanned every 64 seconds by default, so there could be some delay compared to your previous behavior. Given this and since your script managed to forward syslogs before, I think it's better to continue investigating why this doesn't work anymore.
Could you check if any errors are displayed when executing the Mimecast script? Is it possible that the IP of the syslog_server variable (in the script) does not match the one of the manager now (in case it is not localhost)? Do you find any error about it in the ossec.log of your manager?
Regards,
Selu.
Reply all
Reply to author
Forward
0 new messages