Fluentd forward not working

[Bibek Chaudhary]

I have configured my Wazuh to send a log to fluentd server, but it is not working. I have followed the documentation but it seems to not work.

<fluent-forward>
  <enabled>yes</enabled>
  <tag>debug.test</tag>
  <socket_path>/var/run/fluent.sock</socket_path>
  <address>localhost</address>
  <port>24224</port>
</fluent-forward>

<socket>
  <name>fluent_socket</name>
  <location>/var/run/fluent.sock</location>
  <mode>udp</mode>
</socket>

<localfile>
  <log_format>syslog</log_format>
  <location>/var/ossec/test.log</location>
  <target>fluent_socket</target>
</localfile>

fluent.conf:

<source>
  @type http
  port 9880
  bind 0.0.0.0
</source>

<source>
  @type forward
  port 24224
  bind 0.0.0.0
</source>

<system>
  log_level debug
</system>

<match **>
  @type stdout
</match>

<match debug.**>
  @type stdout
</match>

Command1:

$ curl -X POST -d 'json={"json":"message"}' http://127.0.0.1:9880/sample.test

Command2:

$ echo "message" >> /var/ossec/test.log

I have received the log from http but not from wazuh.

[Santiago David Vendramini]

Hi, could you tell me which version of wazuh you are working with? Also could you check ossec.log after you have configured fluent and during testing?

[Bibek Chaudhary]

Hi,

I am using Wazuh 4.3.5 version.

Yes, I have checked ossec.log. It does not have anything related to fluentd.

[Bibek Chaudhary]

Hi,

I've successfully upgraded Wazuh to version 4.5.2, and it's operating smoothly now and I am getting the logs in fluentd.

I have an additional inquiry: Is it possible to configure Fluentd to retrieve logs from the sockets used by components like remoted and analysisd? Specifically, I'm interested in the files located within the /var/ossec/queue/sockets directory. These files include the socket used by analysisd, remoted, and potentially others. My intention is to utilize Fluentd for the purpose of forwarding logs to an alternative destination rather than storing them as files.

[Santiago David Vendramini]

Hi! That's great to hear! Unfortunately not, since the fluentd integration module creates the socket that is specified in the configuration at runtime, also in general TCP is used in remoted and unix sockets between modules, so almost none of them is UDP. And finally the messages received by remoted are encrypted so that even if you manage to extract them they could not be read.
What you could do is to configure some other log files like alerts.json, archives.json or ossec.log.

I hope this solves your need! Let me know if you need anything else!

Best Regards!

[Bibek Chaudhary]

Hi,

Thank you for clearing that out.

The issue at hand is my preference not to store any logs in a file. Instead, I'm looking for a direct transfer of logs to an alternative output mechanism. 

Wazuh does offer the option to transmit logs via ZeroMQ, but currently, it only supports the forwarding of alerts and not other types of events. 

I did raise this concern, and it seems that addressing this is still pending, as indicated by the issue I opened regarding ZeroMQ sending only alerts (https://github.com/wazuh/wazuh/issues/13280). 

Therefore, I'm exploring alternative methods to forward Wazuh logs to a different output channel, bypassing the need to save them in a file.

Regards.