Good morning,
I am trying to send Keycloak logs to Wazuh for analysis, but by following the guide (https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html), I haven’t been able to receive anything. This is the configuration I have on the agent to send the logs:
<localfile>
<log_format>json</log_format>
<location>/var/log/pods/default_keycloak-*/*/*.log</location>
</localfile>
Am I missing any steps? Thank you very much in advance.
Best regards,
Thanks for reaching out! To help you troubleshoot this, I need a bit more context:
Basic info:
About the logs:
Wazuh side:
Once I have this info, we can pinpoint where things might be getting stuck.
My test setup:
I created the same configuration on an agent and tested with logs matching your exact format:
Steps to fix your setup:
1. Enable log archiving on the manager (this is likely what's missing):
Edit /var/ossec/etc/ossec.conf:
<global> <jsonout_output>yes</jsonout_output> <alerts_log>yes</alerts_log> <logall>yes</logall> <logall_json>yes</logall_json> </global>
Restart the manager:
sudo systemctl restart wazuh-manager
Verify the agent can read your logs:
sudo -u wazuh cat /var/log/pods/default_keycloak-*/*/*.log | head -5
Monitor events on the manager:
sudo tail -f /var/ossec/logs/archives/archives.json | grep keycloak
Once you enable archiving, you should start seeing logs immediately. Let me know what you find!
Note: Please use "Reply All" when responding so other Wazuh community members can follow the thread and benefit from the solution. Thanks!
Hi Álvaro,
Great! Now that logs are being collected, you need to create custom rules to generate alerts from your Keycloak logs.
Understanding the difference:
Steps to create alerts:
Customize for your needs:
You should start seeing alerts in the Wazuh dashboard shortly after restarting.