On stats of agent i have tomcat .log file events but where can i see?

260 views
Skip to first unread message

FabDan

unread,
Jul 26, 2022, 7:57:43 AM7/26/22
to Wazuh mailing list
Hello everybody,

I also wanted to record in Wazuh the logs generated by the Tomcat which is present on the Windows machine on which I installed the agent.
I set up the agent.conf file to monitor a .log file and send everything in syslog format.
In the agent statistics I see 169 events linked to the log file that I told him to monitor but I cannot find a way to view these events.
I'm sure something is wrong.
I first installed the product yesterday.

Thank you all.

Mariano Koremblum

unread,
Jul 26, 2022, 8:50:07 AM7/26/22
to Wazuh mailing list
Hi Fab!

Can you share with us such a configuration to validate it? What agent' statistics are you talking about, can you tell us where are you obtaining such an amount of events from?

I will be waiting for your reply,

Mariano Koremblum

FabDan

unread,
Jul 26, 2022, 9:11:55 AM7/26/22
to Wazuh mailing list
Hi Mariano,

sorry I was wrong.
I set the path of the log file in the agent.conf of the Windows machine and Wazuh sees it as you can see from screen but where can I see the contents of the .log file in Wazuh?

Thank you.Log_files_configuration_agent.png
Message has been deleted

Mariano Koremblum

unread,
Jul 26, 2022, 10:40:23 AM7/26/22
to Wazuh mailing list

Hi again Fab,

By default, it is not possible to directly inspect the log files in the Wazuh dashboard. You will be able only to see the entries that have generated an alert (when such log alert level is equal to or higher than the value log_alert_level set on the ossec.conf file of the manager). You can filter the alerts by the location where it should be the full path to the log file you are trying to see.

Another option would be to enable the logall option on your manager’s ossec.conf file, but this is not recommended because it might consume a lot of disk space as it would store every single log that arrives at the manager.

Do you really need to inspect the whole file or what is what you are trying to do or see?

Best regards,

Mariano

FabDan

unread,
Jul 26, 2022, 10:57:35 AM7/26/22
to Wazuh mailing list
Hello,

thanks, it's clearer now.
I had already enabled logall in the manager's ossec.conf file to do a test but despite this I can't see the tomcat firewall logs inside the dashboard.
How can I see them and then refine everything once I am sure it works?
Also if I wanted to see only the errors inside the tomcat original file what value of log_alert_level should I put?

thank you

Mariano Koremblum

unread,
Jul 26, 2022, 11:31:24 AM7/26/22
to Wazuh mailing list

In order to display all the incoming logs in the dashboard, the following steps are needed:

  • 1st: set <logall_json>yes</logall_json> under the <global> tag in the /var/ossec/etc/ossec.conf file of your manager.
  • 2nd: Restart the Wazuh manager (# /var/ossec/bin/ossec-control restart)

After doing so, now all the incoming events should start to be logged in the /var/ossec/logs/archives/archives.json file.

  • 3rd: Now it’s necessary to configure Filebeat to monitor the archives.json file. This can be achieved by modifying the /etc/filebeat/filebeat.yml and adding the /var/ossec/logs/archives/archives.json file to the paths as follows:
filebeat.inputs:
  - type: log
    paths:
      - /var/ossec/logs/alerts.json
      - /var/ossec/logs/archives/archives.json
  • 4th: Restart the Filebeat service by doing # systemctl restart filebeat or # service filebeat restart

After doing so, you should be able to see every single log on your dashboard. Some logs might be duplicated as the archives.json file is a dump of the archives.json file which logs have the alert level equal to or higher than the configured log_alert_level.

About the errors that you mention from Tomcat, it depends on the decoders and rules that process such logs. If you have some example logs maybe we can have a better understanding.

Best regards,

Mariano Koremblum

FabDan

unread,
Jul 27, 2022, 3:35:14 AM7/27/22
to Wazuh mailing list
Hi Mariano,

ok I followed the steps you indicated.
However, the ossec-control restart command does not exist on my installation, I rebooted the Ubuntu 22.04 server directly.
A trivial question: now that I've set everything up where do I see the logs from the dashboard?
I'm still exploring the product and getting confused.

Thank you

Mariano Koremblum

unread,
Jul 27, 2022, 9:42:20 AM7/27/22
to Wazuh mailing list

I am sorry Fab, the name changed to wazuh-control (instead of ossec-control).

I would recommend you take a look at the following link where the main options of the dashboard are displayed: https://documentation.wazuh.com/current/getting-started/components/wazuh-dashboard.html

There are many things to see around, what are you specifically looking for?

Regards,

Mariano Koremblum

FabDan

unread,
Jul 27, 2022, 11:22:51 AM7/27/22
to Wazuh mailing list
Hi Mariano,

thanks and what i wanted to say was how to be able to see the contents of the file for example tomcat.log displaying it within the dashboard like the other product logs.
In the .json file you can see all the strings contained in the file while in the dashboard they are not, therefore they are processed and received by the manager but not displayed in the dashboard.

Thanks again.

Mariano Koremblum

unread,
Jul 27, 2022, 6:08:16 PM7/27/22
to Wazuh mailing list
You can filter the events by their location, eg: "/var/log/dpkg.log" as follows:

1st.png
2nd.png
3rd.png4th.png

I hope that my answer helps!!

Best Regards,

Mariano Koremblum
Reply all
Reply to author
Forward
0 new messages