Wazuh linux agent file read capability
43 views
Skip to first unread message
Shenal Perera
Oct 23, 2023, 6:18:25 AM10/23/23
to Wazuh | Mailing List
HI,
I would like to know some information regarding the file reading capability of wazuh Linux agent.
My requirement it as follows.
New log files are continually being copied to a directory every hour. I want the Linux agent to read the newly copied file and fetch the logs.
I simulated and noticed that linux agent dose not read the copied files unless I do some changes (eg - add a new line) at the end of the file. It will only fetch the last line I added. does fetch the records which came with the original file.
Could someone help me to sort this out?
Thank you
Shenal Perera
Oct 23, 2023, 6:21:39 AM10/23/23
to Wazuh | Mailing List
Below are the configurations. New log files are copied to the
/nfs/TEST folder and the files have .log extension
<localfile>
<log_format>syslog</log_format>
<location>/nfs/TEST/*.log</location>
</localfile>
<log_format>syslog</log_format>
<location>/nfs/TEST/*.log</location>
</localfile>
John Adewale Olatunde
Oct 23, 2023, 12:36:26 PM10/23/23
to Wazuh | Mailing List
Hello Shenal
Can you provide more details about your setup?
Is the log being generated and saved to the location by a process or you're copying it from one folder to another every hour?
Also, do you mean the logcollector module fetches the last line added while ignoring the other logs in the original file?.
Can you provide more details about your setup?
Is the log being generated and saved to the location by a process or you're copying it from one folder to another every hour?
Also, do you mean the logcollector module fetches the last line added while ignoring the other logs in the original file?.
Shenal Perera
Oct 24, 2023, 12:14:51 AM10/24/23
to Wazuh | Mailing List
Hi
John
Logs are being copied to /nfs/TEST folder by an automated process every hour. The file naming format is ABCD.log.
The wazuh Linux agent is set to read the .log files inside
/nfs/TEST (below are the configuration)
<localfile>
<log_format>syslog</log_format>
<location>/nfs/TEST/*.log</location>
</localfile>
<log_format>syslog</log_format>
<location>/nfs/TEST/*.log</location>
</localfile>
However, the agent does not read the files. But when we open an existing file and add a few lines manually at the end of the file, the agent fetches the last records we added manually. If not it does not read the file at all.
Hope the above information is helpful.
Thank you
John Adewale Olatunde
Oct 24, 2023, 9:49:04 AM10/24/23
to Wazuh | Mailing List
While doing some research, I came across this thread
https://groups.google.com/g/wazuh/c/fCZ2yMM1ciU/m/CdA8RZC-BQAJ
Is this related to what you have presently?
https://groups.google.com/g/wazuh/c/fCZ2yMM1ciU/m/CdA8RZC-BQAJ
Is this related to what you have presently?
Shenal Perera
Oct 24, 2023, 11:36:42 PM10/24/23
to Wazuh | Mailing List
Hi John
Its similar, but my issue is different. In my case the log file is not reading at all unless I add new lines to it manually.
Thanks
Shenal Perera
Oct 29, 2023, 11:01:59 AM10/29/23
to Wazuh | Mailing List
Hi John,
Did you get time to check my previous response?
Thank you
John Adewale Olatunde
Oct 30, 2023, 3:59:44 AM10/30/23
to Wazuh | Mailing List
Hello Shenal
Are there decoders and rules for the existing logs? Also, can you send samples of the log as well as the modification made to the log
Are there decoders and rules for the existing logs? Also, can you send samples of the log as well as the modification made to the log
Reply all
Reply to author
Forward
0 new messages