Localfile configuration issue with 'journald'

19 views
Skip to first unread message

Antti Backman

unread,
Jun 29, 2026, 2:26:02 AM (4 days ago) Jun 29
to Wazuh | Mailing List
Hi, 

Any idea why we're getting this error with latest 4.14 wazuh-agent

wazuh-logcollector: ERROR: (1235): Invalid value for element 'log_format': journald.

As per the <local file> configuration documentation the 'log_format' parameter should be set to 'journald' if journal messages is to be collected by the agent

We're experiencing this on RHEL 8,9 and 10. 

Stuti Gupta

unread,
Jun 29, 2026, 2:50:38 AM (4 days ago) Jun 29
to Wazuh | Mailing List

Can you please share the full local file configuration that you have added and the location, the file path, where you are adding this?

The log_format value can be journald, https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#location
It should be something like this: 

<localfile>
<location>journald</location>
<log_format>journald</log_format>
</localfile>


Make sure to collect logs from the journald system; you must set both location and log_format to journald.

Looking forward to your response 

Antti Backman

unread,
Jun 29, 2026, 4:56:00 AM (4 days ago) Jun 29
to Wazuh | Mailing List
Hi, 

Thanks for you swift response. 

This is from the agent.conf

...
  <localfile>
      <log_format>journald</log_format>
      <location>journald</location>
      <only-future-events>no</only-future-events>
    </localfile>
...

Stuti Gupta

unread,
Jul 2, 2026, 2:19:25 AM (24 hours ago) Jul 2
to Wazuh | Mailing List
Hi Antti,

I somehow missed your reply. I'm testing this right now. Please allow me some time.

Sorry for the delay.

Stuti Gupta

unread,
Jul 2, 2026, 3:08:19 AM (23 hours ago) Jul 2
to Wazuh | Mailing List

I tested this on my end, and I was not able to reproduce the following error:

wazuh-logcollector: ERROR: (1235): Invalid value for element 'log_format': journald.

The following configuration is already present in the default ossec.conf:

<localfile>
 <location>journald</location> 
 <log_format>journald</log_format> 
</localfile>

There is generally no need to add the same configuration again in agent.conf unless you want to apply additional filters or other options. If multiple journald configurations are present, Wazuh will merge them, which may result in merge-related warnings, but it should not give the (1235) error.

Could you please let me know where you are applying this configuration? If you are using the Wazuh dashboard (web ui), please share a screenshot of the configuration. If you are editing the configuration manually, please share the file path and the entire file. 

Antti Backman

unread,
Jul 2, 2026, 4:26:45 AM (21 hours ago) Jul 2
to Wazuh | Mailing List
Hi, 

For consistency and transparency through agent configurations in through the central facility, we set all relevant configurations explicitly for agent group configurations through the Dashboard / web ui. We're not aware that this approach would be prohibited. 

image.png

I have one question back to you, did you test with the exact configuration I posted above?

//Antti 

Stuti Gupta

unread,
1:15 AM (1 hour ago) 1:15 AM
to Wazuh | Mailing List
Hi, Atti, 

I have tested this and am still not getting the error that you are getting:

Screenshot_28.png

Can you please check your agent's side ossec.conf and share the file with us located at 
/var/ossec/etc/ossec.conf

Reply all
Reply to author
Forward
0 new messages