Enabled the Apache logs on Kibana dashboard

166 views
Skip to first unread message

Manoj Kinage

unread,
Jul 23, 2021, 10:07:45 AM7/23/21
to Wazuh mailing list
Hi Team,
We have enabled the apache logs forwarding from agent server to Wazuh server but not able to see it on dashboard. can you please provide details where I can see it or please provide any reference link. 

Thanks in advance. 


Alexander Bohorquez

unread,
Jul 23, 2021, 11:13:22 AM7/23/21
to Wazuh mailing list
Hello, 

Thank you for using Wazuh!

After you install the agent and connect it to the Wazuh manager,  you can monitor its logs with our log data collection feature, independently of the host. You can find more information about this feature and how to make it work with Apache logs in our documentation: https://documentation.wazuh.com/4.0/user-manual/capabilities/log-data-collection/index.html

For more information, you can check this link https://documentation.wazuh.com/current/learning-wazuh/shellshock.html that's the case that could be useful as a guiding example.

In our ruleset, there are already decoders/rules for Apache.

If you have already configured this and it still does not work, you could check if you are receiving general alerts from this agent. If yes, then we should enable archives.json in the manager to check if we are receiving apache logs from that agent. (Archives logs all the data that reaches the manager, even the one that does not match a rule or a decoder)

Here are the instructions to enable archives in the Wazuh Manager:

Enable the archives.json from the /var/ossec/etc/ossec.conf  by changing the logall_json option to yes:

<ossec_config>
  <global>
...
    <logall_json>yes</logall_json>
After restarting the Wazuh Manager, the archives.json file will be filled with all the collected data from agents and external data such as wodles, because of this, you have to disable it when you finished collecting the logs you need.

If you see that the apache logs are reaching the manager in archives but they do not generate alerts (because they do not match with any rule/decoder) you should take these example logs and generate rules/decoders following these instructions: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/ This way, you will receive the required alerts with Wazuh.

Note: To check that the logs match with any rule or decoder you can use the binary /var/ossec/bin/wazuh-logtest, paste the log you took from the archives, and as output from the command you will have the reference of which decoders/rules match. Here is the reference to use Wazuh-logtest:


I hope this could be helpful. Please let me know if you have any questions!

Manoj Kinage

unread,
Jul 25, 2021, 7:55:21 AM7/25/21
to Alexander Bohorquez, Wazuh mailing list
Hi Alexander,

Thank you very much for the update. 

I have configured the logs as mentioned. Also I got the below details on the agent log file but can you please provide the steps where I can find it on kibana.

2021/07/25 11:25:24 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/error.log'
2021/07/25 11:25:24 ossec-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'

Thanks,


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/64cb5533-26ec-4c95-bbbb-8852fa3d27d4n%40googlegroups.com.

Alexander Bohorquez

unread,
Jul 28, 2021, 4:28:24 PM7/28/21
to Wazuh mailing list
Hello,

Hope you're well,

As explained above,

You should check if the logs inside "/var/log/apache2/error.log" or "/var/log/apache2/access.log" match with decoders/rules in your Wazuh manager. If they do not match with any decoder or rule, you will not be able to see them in Kibana and you would have to create them with the instructions that I sent you previously.

To check that the logs match with any rule or decoder you can use the binary /var/ossec/bin/wazuh-logtest, copying a line of the logs in question and pasting it after executing the binary. The output will give you which decoder/rule matches.

Here is the reference to use Wazuh-logtest:


Once you see which rule ID the event matches. You could filter in Kibana or from the Wazuh App/Security events by this rule ID to be able to visualize all the events.

I hope this information helps. Please let me know how it goes!

Manoj Kinage

unread,
Jul 29, 2021, 8:42:11 AM7/29/21
to Alexander Bohorquez, Wazuh mailing list
Hi Alexander,

I am able to configure and monitor logs from the Kibana dashboard. 

Appreciate your help.

Thanks,
Manoj



To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/364b78dc-12e6-48ce-8f75-6a166c28f01bn%40googlegroups.com.

Alexander Bohorquez

unread,
Jul 29, 2021, 3:03:07 PM7/29/21
to Wazuh mailing list
Hello,

I'm glad to hear that, don't hesitate to contact us if you need more help!

Regards,

Alexander Bohorquez

Reply all
Reply to author
Forward
0 new messages