The <localfile> Log Isn't Coming in Alerts

[Experimantal Guest]

Hi Respected Team,

I've added a file as <localfile> and my custom decoder successfully decodes it. But, the logs are not coming in Alerts (even though I set the rule level to 13).

Here is the sample log:

{'AutoID': 10, 'AutoGUID': UUID('sdfwerwer-47d6-4ff4-a162-s86d57fs78df'), 'ServerID': 'XYZ', 'ReceivedUTC': datetime.datetime(2023, 11, 23, 1, 15, 53, 240000), 'DetectedUTC': datetime.datetime(2023, 11, 23, 1, 11, 55), 'AgentGUID': UUID('57c30ca9-24e8-4167-8d13-f83d4df12b25'), 'Analyzer': 'XYZ_AM_5412', 'AnalyzerName': 'XYZ Endpoint Security', 'AnalyzerVersion': '10.7.0', 'AnalyzerHostName': 'XYZ-WIN10', 'AnalyzerIPV4': 735896455, 'AnalyzerIPV6': b'ÿÿ¬c', 'AnalyzerMAC': '000c2980a849', 'AnalyzerDATVersion': '5348.0', 'AnalyzerEngineVersion': '6600.9927', 'AnalyzerDetectionMethod': 'On-Access Scan', 'SourceHostName': 'EI-WIN10', 'SourceIPV4': 739246435, 'SourceIPV6': b'ÿÿ¬c', 'SourceMAC': None, 'SourceUserName': None, 'SourceProcessName': 'C:\Windows\explorer.exe', 'SourceURL': None, 'TargetHostName': 'EI-WIN10', 'TargetIPV4': 739246435, 'TargetIPV6': b'ÿÿ¬c', 'TargetMAC': None, 'TargetUserName': 'EIL\Administrator', 'TargetPort': None, 'TargetProtocol': None, 'TargetProcessName': None, 'TargetFileName': 'C:\Users\Administrator.EIL.000\Downloads\Malz2\Server.exe', 'ThreatCategory': 'av.detect', 'ThreatEventID': 1428, 'ThreatSeverity': 2, 'ThreatName': 'DoS-FAE!BFD0DCF57209', 'ThreatType': 'trojan', 'ThreatActionTaken': 'IDS_ALERT_ACT_TAK_WBD', 'ThreatHandled': True, 'TheTimestamp': b':}', 'TenantID': 1}

And here is the <localfile> config in ossec.conf file-

<localfile>
    <location>/home/user/wodl.txt</location>
    <log_format>syslog</log_format>
</localfile>

Please respond with a solution.

[Carlos Ezequiel Bordon]

Hi,

Can you tell me in the ossec.conf which component you configured the localfile block for?

You should configure it in the agent's ossec.conf or in the shared configuration for the different agents