Import / Inject old apache logs in Wazuh 4.6.0
396 views
Skip to first unread message
Miguel CM
Nov 28, 2023, 7:30:12 AM11/28/23
to Wazuh | Mailing List
Good morning,
I am trying to insert/inject an old Apache logs into Wazuh in order for it to analyze it and generate alerts. For this, I cannot modify the dates of these logs, which are from 2019. The version I am using for this is 4.6.0.
Thank you in advance for your help.
tomas....@wazuh.com
Nov 28, 2023, 4:38:23 PM11/28/23
to Wazuh | Mailing List
Hi Miguel,
Where are these logs located? Do you have access to their location? Are them in a file?
If so, have you tried using logcollector module to read your file?
Please, specify this information in order to help you further.
Best regards.
Tomás Turina
Miguel CM
Nov 28, 2023, 5:04:34 PM11/28/23
to Wazuh | Mailing List
Hi tomas,
I have downloaded these logs and placed them in a folder that I have access. The file is an Apache "access.log."
The second point you mention, I'm not quite sure what you mean. What I did was add the file to be monitored by the agent, but it hasn't worked for me.
Would activating the logcollector module involve adding the .log file to /var/ossec/logs/archives/archives.log? Is this logcollector located in the wazuh agent? If so, When will it place the alerts, on the current day or in 2019?
Would activating the logcollector module involve adding the .log file to /var/ossec/logs/archives/archives.log? Is this logcollector located in the wazuh agent? If so, When will it place the alerts, on the current day or in 2019?
Thanks for your help.
Miguel CM
Nov 29, 2023, 4:12:08 AM11/29/23
to Wazuh | Mailing List
Hi again,
About logcollector, if I have used it because it is, if I'm not mistaken, to make the agent monitor that log, the problem is that there are no changes on the log, and being old, it also doesn't read the entries that are there.
tomas....@wazuh.com
Nov 30, 2023, 10:40:47 AM11/30/23
to Wazuh | Mailing List
Hi Miguel,
<localfile>
Logcollector works in both Wazuh manager and agent.
Well, in this case what you can do to read the old logs is to to configure logcollector to monitor some particular file, for example:
<log_format>syslog</log_format>
<location>/var/log/apache</location>
</localfile>
After restarting Wazuh, copy all the logs you want to analyze in the file you have just configured to monitor. For newer logs, just monitoring the original file (access.log) will be enough.
Remember to create decoders/rules in case of the default Wazuh ruleset doesn't fit your needs.
Regarding your question about the date of the logs, the alerts will be generated with the current date (now) but the logs will keep the original date. So, you will see the alerts with the current date but the detail will include the original date.
I hope this information helps.
Tomás Turina
Reply all
Reply to author
Forward
0 new messages