wazuh-logcollector disable, is possible ?

[Cláudio Lopes]

Hello, 

I have a question, i dont interesting for use logcollector process. But i dont know how disable it. Is it possible? I need just FIM functionality from wazuh. 

Anyone know how disable that process?

Thanks 

[Mauro Agustín Malara]

Hi!

So, it is actually possible to make wazuh-logcollector stop collecting logs by deleting all <localfile> blocks from /var/ossec/etc/ossec.conf in both the manager and the agent (and also from /var/ossec/etc/shared/<YOUR_GROUP> if you have created a group). After restarting the manager and the agent, you will see this message in the ossec.log file:

Jun 21 14:34:34 manager-2873 env[13852]: 2022/06/21 14:34:34 wazuh-logcollector: INFO: (1905): No file configured to monitor.

Note that even if it is not collecting logs, the wazuh-logcollector process will be running, although consumption is minimal.

Let me know if you have any questions,

Regards.

​