Forwarding logs from agent to manager
David Adonis
As mentioned in the Wazuh documentation, logs can be forwarded to the manager by configuring the ossec.conf file on the agent.
I am using active-response to run a custom script. This script performs some actions and writes custom logs (in syslog format) to file active-responses.log.
I want to forward this log file to the manager, so I configured the Windows agent's ossec.conf file (C:\Program Files (x86)\ossec-agent\ossec.conf) with the following block:
My issue is: How can I verify that my configuration is correct and that the custom syslog logs in active-responses.log are being successfully forwarded? I have checked the ossec.log on the Windows agent, the ossec.log and archives.log on the Wazuh Manager, but I cannot find any entries related to my logs.
I also have had created a decoder and rule for my logs, and tested successfully with wazuh-logtest, the only issue is as I mentioned above, I don't know whether my logs is forwarded or not.
hasitha.u...@wazuh.com
It looks like you’re trying to collect and monitor the active-responses.log. First, verify that the logs adding to the active-responses.log file :
C:\Program Files (x86)\ossec-agent\active-response\active-responses.log
If it does, please share your ossec.conf file so we can review the configuration.
Also, after adding the log collection to the Wazuh agent’s ossec.conf, make sure you restart the agent. If you haven’t already, try restarting it and check again.
Restart-Service -Name wazuh
2025/09/28 15:16:21 wazuh-agent: INFO: (1950): Analyzing file: 'C:\Program Files (x86)\ossec-agent\active-response\active-responses.log'.
If yes, then you can enable archives.json logs and simulate a few events to capture.
To capture the logs from archives.json, please follow these steps:
1. Enable log_all_json on Wazuh Manager
Update the ossec.conf file on the Wazuh manager to enable log_all_json.
2. Reproduce the Event
Trigger the event again to capture the relevant logs.
3. Extract Relevant Logs
Run the following command on the Wazuh manager:
cat /var/ossec/logs/archives/archives.json | grep -iE "<related string>"
Replace <related string> with a relevant value from the log to filter the specific entries.
4. Disable log_all_json
After capturing the logs, disable log_all_json in the ossec.conf file to prevent excessive storage usage.
Share the sample log that you have taken from archives.json with us.
Ref: https://documentation.wazuh.com/current/user-manual/manager/event-logging.html#enabling-archiving
Warning
Keeping <logall_json>yes</logall_json> on can fill up your disk fast! Once you’re done troubleshooting, set it back to no in /var/ossec/etc/ossec.conf and restart the manager:
systemctl restart wazuh-manager
We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysis, one of the archives.json events should look like this (the field of interest is in bold):
{"timestamp":"2023-09-05T02:47:40.074+0000","agent":{"id":"001","name":"abc","ip":"10.0.2.29},"manager":{"name":"Server85"},"id":"1693882060.373586","full_log ":"Sep 5 03:10:19 Server91 dbus-daemon[676]: [system] Successfully activated service 'org.freedesktop.UPower","predecoder":{"program_name":"dbus-daemon","timestamp":"Sep 5 03:10:19","hostname":"Server91"},"decoder":{},"location":"/var/log/syslog"}
Ref: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Check these documents to learn more about regex and decoder syntax
Decoders Syntax
Regular Expression Syntax
To learn more about rules, you can refer to these guides.
Rules
Rules Syntax
Regular Expression Syntax
Try simulating events and check for new entries in the active-responses.log file. Then, review the corresponding logs in archives.json and share some sample entries so I can replicate them on my end.