Wazuh agent cannot monitor Apache access log
103 views
Skip to first unread message
Quý Nguyễn
Jul 31, 2025, 6:26:17 AM7/31/25
to Wazuh | Mailing List
I configured file /var/ossec/etc/ossec.conf to monitor file /var/log/apache2/access.log like this:
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
</ossec_config>
But my Wazuh agent cannot catch any logs when i use command "curl http://127.0.0.1".
I really appreciated if you can reply me in your free time.
Thank you.
Thank you.
Md. Nazmur Sakib
Jul 31, 2025, 6:40:14 AM7/31/25
to Wazuh | Mailing List
Hi Quý Nguyễn,
I would check if there are any access logs for this event in /var/log/apache2/access.log
Run this command to find out
sudo cat /var/log/apache2/access.log | grep "127.0.0.1"
Also, share the output of the command from your agent’s endpoint.
sudo cat /var/ossec/logs/ossec.log | grep -i -E "wazuh-logcollector|error|warn"
Next, enable archives.json log in your manager to check if these logs are successfully forwarded to the Wazuh manager.
You can enable the archive JSON format log from your manager's ossec.conf
<ossec_config>
<global>
___________________
<logall_json>yes</logall_json>
_______________
After making the changes, make sure to restart the manager.
systemctl restart wazuh-manager
Now, check the output of this command. Use a keyword related to your log.
cat /var/ossec/logs/archives/archives.json | grep "access.log"
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json
If you see the logs in archives.json, but no alerts in the dashboard. You might need to write some custom decoders and rules to trigger alerts.
Ref: https://documentation.wazuh.com/current/user-manual/ruleset/index.html
Share some logs in text format with me from archives.json related to Apache access.log if you need assistance with the decoders and rules.
Let me know the update on the issue.
Quý Nguyễn
Aug 1, 2025, 2:55:50 AM8/1/25
to Wazuh | Mailing List
This is the result when i use command sudo cat /var/log/apache2/access.log | grep "127.0.0.1"
And the result of sudo cat /var/ossec/logs/ossec.log | grep -i -E "wazuh-logcollector|error|warn"
I also enabled logall_json but my agent still could not catch the log of access.log.
I have searched and knew that my ossec.log must have the line "Analyzing ...." to successfully collect log from a file. Am I right ?
Vào lúc 17:40:14 UTC+7 ngày Thứ Năm, 31 tháng 7, 2025, Md. Nazmur Sakib đã viết:
Md. Nazmur Sakib
Aug 1, 2025, 4:04:30 AM8/1/25
to Wazuh | Mailing List
2025/08/01 12:58:52 wazuh-logcollector: INFO: (1958): Analyzing file: '/var/log/apache2/access.log'.
This indicates that the agent is monitoring this file.
Can you share the output of these two commands?
sudo tail -n 1 /var/ossec/logs/archives/archives.json
sudo cat /var/ossec/logs/archives/archives.json | grep "access.log"
Are you getting alerts for other events from this agent?
Also, please share the full output of this command in a text file, so that I can review and check if there is any relevant error from the agent side.
sudo cat /var/ossec/logs/ossec.log | grep -i -E "wazuh-logcollector|error|warn"
Quý Nguyễn
Aug 1, 2025, 7:51:41 AM8/1/25
to Wazuh | Mailing List
This is the output of the command
sudo tail -n 1 /var/ossec/logs/archives/archives.json
root@ubuntu:~# sudo tail -n 1 /var/ossec/logs/archives/archives.json
{"timestamp":"2025-08-01T18:21:36.562+0700","agent":{"id":"000","name":"ubuntu"},"manager":{"name":"ubuntu"}
{"timestamp":"2025-08-01T18:21:36.562+0700","agent":{"id":"000","name":"ubuntu"},"manager":{"name":"ubuntu"}
And this is the output of
sudo cat /var/ossec/logs/archives/archives.json | grep "access.log"
<truncated>
<truncated>
` {"timestamp":"2025-08-01T18:22:21.786+0700","agent":{"id":"008","name":"K8S-CP","ip":"192.168.88.132"},"manager":{"name":"ubuntu"},"id":"1754047341.1888281473","full_log":"10.0.196.64 - - [2025-08-01T18:22:17+07:00] \"POST /api/v2/write?bucket=telegraf&org=NMS HTTP/1.1\" 401 55 \"-\" \"Telegraf/1.26.0 Go/1.20.2\" 31732 0.020 [monitoring-monitor-influxdb-svc-443] [] 10.0.196.167:8086 55 0.002 401 93f3f8f7ab9bf06ffb2f63a1dd8a4f3a","decoder":{},"location":"/nfs_share/k8s/nginx/logs/access.log"}
{"timestamp":"2025-08-01T18:22:21.786+0700","agent":{"id":"008","name":"K8S-CP","ip":"192.168.88.132"},"manager":{"name":"ubuntu"},"id":"1754047341.1888281473","full_log":"10.0.196.64 - - [2025-08-01T18:22:12+07:00] \"GET /cms/notification/check?status=1 HTTP/2.0\" 200 10957 \"https://ews.nms.com.vn/user/profile-timekeeping/1761\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0\" 1453 0.396 [default-nms-ews-80] [] 10.0.196.132:80 10970 0.396 200 990d336599b1ae601b8b43f6bd911a19","decoder":{},"location":"/nfs_share/k8s/nginx/logs/access.log"}
{"timestamp":"2025-08-01T18:22:24.351+0700","rule":{"level":3,"description":"POST request received.","id":"31530","firedtimes":260,"mail":false,"groups":["web","appsec","attack"]},"agent":{"id":"009","name":"Mail","ip":"10.6.235.86"},"manager":{"name":"ubuntu"},"id":"1754047344.1888338619","full_log":"27.72.96.193 - - [01/Aug/2025:18:22:23 +0700] \"POST /mail/?_task=mail&_action=refresh HTTP/2.0\" 200 151 \"https://mail.nms.com.vn/mail/?_task=mail&_mbox=INBOX\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"POST","srcip":"27.72.96.193","id":"200","url":"/mail/?_task=mail&_action=refresh"},"location":"/var/log/nginx/access.log"}
{"timestamp":"2025-08-01T18:22:24.355+0700","rule":{"level":3,"description":"POST request received.","id":"31530","firedtimes":261,"mail":false,"groups":["web","appsec","attack"]},"agent":{"id":"009","name":"Mail","ip":"10.6.235.86"},"manager":{"name":"ubuntu"},"id":"1754047344.1888338619","full_log":"27.71.118.24 - - [01/Aug/2025:18:22:24 +0700] \"POST /mail/?_task=mail&_action=refresh HTTP/1.1\" 200 166 \"https://mail.nms.com.vn/mail/?_task=mail&_mbox=INBOX\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"POST","srcip":"27.71.118.24","id":"200","url":"/mail/?_task=mail&_action=refresh"},"location":"/var/log/nginx/access.log"}
{"timestamp":"2025-08-01T18:22:34.363+0700","rule":{"level":3,"description":"POST request received.","id":"31530","firedtimes":262,"mail":false,"groups":["web","appsec","attack"]},"agent":{"id":"009","name":"Mail","ip":"10.6.235.86"},"manager":{"name":"ubuntu"},"id":"1754047354.1888627308","full_log":"117.5.228.113 - - [01/Aug/2025:18:22:33 +0700] \"POST /mail/?_task=mail&_action=refresh HTTP/1.1\" 200 164 \"https://mail.nms.com.vn/mail/?_task=mail&_mbox=Drafts\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"POST","srcip":"117.5.228.113","id":"200","url":"/mail/?_task=mail&_action=refresh"},"location":"/var/log/nginx/access.log"}
{"timestamp":"2025-08-01T18:22:38.367+0700","rule":{"level":3,"description":"POST request received.","id":"31530","firedtimes":263,"mail":false,"groups":["web","appsec","attack"]},"agent":{"id":"009","name":"Mail","ip":"10.6.235.86"},"manager":{"name":"ubuntu"},"id":"1754047358.1888745204","full_log":"203.128.246.254 - - [01/Aug/2025:18:22:37 +0700] \"POST /mail/?_task=mail&_action=refresh HTTP/2.0\" 200 151 \"https://mail.nms.com.vn/mail/?_task=mail&_mbox=INBOX\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"POST","srcip":"203.128.246.254","id":"200","url":"/mail/?_task=mail&_action=refresh"},"location":"/var/log/nginx/access.log"}
{"timestamp":"2025-08-01T18:22:49.396+0700","rule":{"level":3,"description":"POST request received.","id":"31530","firedtimes":264,"mail":false,"groups":["web","appsec","attack"]},"agent":{"id":"009","name":"Mail","ip":"10.6.235.86"},"manager":{"name":"ubuntu"},"id":"1754047369.1889030197","full_log":"203.128.246.254 - - [01/Aug/2025:18:22:49 +0700] \"POST /mail/?_task=mail&_action=refresh HTTP/2.0\" 200 156 \"https://mail.nms.com.vn/mail/?_task=mail&_mbox=INBOX\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"POST","srcip":"203.128.246.254","id":"200","url":"/mail/?_task=mail&_action=refresh"},"location":"/var/log/nginx/access.log"} `
{"timestamp":"2025-08-01T18:22:21.786+0700","agent":{"id":"008","name":"K8S-CP","ip":"192.168.88.132"},"manager":{"name":"ubuntu"},"id":"1754047341.1888281473","full_log":"10.0.196.64 - - [2025-08-01T18:22:12+07:00] \"GET /cms/notification/check?status=1 HTTP/2.0\" 200 10957 \"https://ews.nms.com.vn/user/profile-timekeeping/1761\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0\" 1453 0.396 [default-nms-ews-80] [] 10.0.196.132:80 10970 0.396 200 990d336599b1ae601b8b43f6bd911a19","decoder":{},"location":"/nfs_share/k8s/nginx/logs/access.log"}
{"timestamp":"2025-08-01T18:22:24.351+0700","rule":{"level":3,"description":"POST request received.","id":"31530","firedtimes":260,"mail":false,"groups":["web","appsec","attack"]},"agent":{"id":"009","name":"Mail","ip":"10.6.235.86"},"manager":{"name":"ubuntu"},"id":"1754047344.1888338619","full_log":"27.72.96.193 - - [01/Aug/2025:18:22:23 +0700] \"POST /mail/?_task=mail&_action=refresh HTTP/2.0\" 200 151 \"https://mail.nms.com.vn/mail/?_task=mail&_mbox=INBOX\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"POST","srcip":"27.72.96.193","id":"200","url":"/mail/?_task=mail&_action=refresh"},"location":"/var/log/nginx/access.log"}
{"timestamp":"2025-08-01T18:22:24.355+0700","rule":{"level":3,"description":"POST request received.","id":"31530","firedtimes":261,"mail":false,"groups":["web","appsec","attack"]},"agent":{"id":"009","name":"Mail","ip":"10.6.235.86"},"manager":{"name":"ubuntu"},"id":"1754047344.1888338619","full_log":"27.71.118.24 - - [01/Aug/2025:18:22:24 +0700] \"POST /mail/?_task=mail&_action=refresh HTTP/1.1\" 200 166 \"https://mail.nms.com.vn/mail/?_task=mail&_mbox=INBOX\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"POST","srcip":"27.71.118.24","id":"200","url":"/mail/?_task=mail&_action=refresh"},"location":"/var/log/nginx/access.log"}
{"timestamp":"2025-08-01T18:22:34.363+0700","rule":{"level":3,"description":"POST request received.","id":"31530","firedtimes":262,"mail":false,"groups":["web","appsec","attack"]},"agent":{"id":"009","name":"Mail","ip":"10.6.235.86"},"manager":{"name":"ubuntu"},"id":"1754047354.1888627308","full_log":"117.5.228.113 - - [01/Aug/2025:18:22:33 +0700] \"POST /mail/?_task=mail&_action=refresh HTTP/1.1\" 200 164 \"https://mail.nms.com.vn/mail/?_task=mail&_mbox=Drafts\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"POST","srcip":"117.5.228.113","id":"200","url":"/mail/?_task=mail&_action=refresh"},"location":"/var/log/nginx/access.log"}
{"timestamp":"2025-08-01T18:22:38.367+0700","rule":{"level":3,"description":"POST request received.","id":"31530","firedtimes":263,"mail":false,"groups":["web","appsec","attack"]},"agent":{"id":"009","name":"Mail","ip":"10.6.235.86"},"manager":{"name":"ubuntu"},"id":"1754047358.1888745204","full_log":"203.128.246.254 - - [01/Aug/2025:18:22:37 +0700] \"POST /mail/?_task=mail&_action=refresh HTTP/2.0\" 200 151 \"https://mail.nms.com.vn/mail/?_task=mail&_mbox=INBOX\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"POST","srcip":"203.128.246.254","id":"200","url":"/mail/?_task=mail&_action=refresh"},"location":"/var/log/nginx/access.log"}
{"timestamp":"2025-08-01T18:22:49.396+0700","rule":{"level":3,"description":"POST request received.","id":"31530","firedtimes":264,"mail":false,"groups":["web","appsec","attack"]},"agent":{"id":"009","name":"Mail","ip":"10.6.235.86"},"manager":{"name":"ubuntu"},"id":"1754047369.1889030197","full_log":"203.128.246.254 - - [01/Aug/2025:18:22:49 +0700] \"POST /mail/?_task=mail&_action=refresh HTTP/2.0\" 200 156 \"https://mail.nms.com.vn/mail/?_task=mail&_mbox=INBOX\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\"","decoder":{"name":"web-accesslog"},"data":{"protocol":"POST","srcip":"203.128.246.254","id":"200","url":"/mail/?_task=mail&_action=refresh"},"location":"/var/log/nginx/access.log"} `
I'm pretty sure there is no Apache access log in archives.json.
This is result of sudo cat /var/ossec/logs/ossec.log | grep -i -E "wazuh-logcollector|error|warn"
<truncated>
` 2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:370 at LogCollectorStart(): INFO: Monitoring full output of command(360): last -n 20
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:374 at LogCollectorStart(): DEBUG: Socket target for 'last -n 20' -> agent
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:419 at LogCollectorStart(): DEBUG: (9001): Socket target for 'journald' -> agent
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:1236 at set_read(): DEBUG: Socket target for '/var/ossec/logs/active-responses.log' -> agent
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:435 at LogCollectorStart(): INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:1236 at set_read(): DEBUG: Socket target for '/var/log/dpkg.log' -> agent
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:435 at LogCollectorStart(): INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:1236 at set_read(): DEBUG: Socket target for '/var/log/apache2/access.log' -> agent
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:435 at LogCollectorStart(): INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:486 at LogCollectorStart(): INFO: Started (pid: 13005).
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:487 at LogCollectorStart(): DEBUG: (1961): Files being monitored: 4/1000.
2025/07/31 15:01:13 wazuh-logcollector[13005] lccom.c:511 at lccom_main(): DEBUG: Local requests thread ready
2025/07/31 15:01:15 wazuh-logcollector[13005] read_journald.c:108 at w_journald_can_read(): INFO: (9203): Monitoring journal entries.
2025/07/31 15:02:00 wazuh-logcollector[13005] sig_op.c:49 at HandleSIG(): INFO: (1225): SIGNAL [(2)-(Interrupt)] Received. Exit Cleaning...
2025/07/31 15:09:38 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/07/31 15:09:40 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/07/31 15:09:40 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/07/31 15:09:40 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/07/31 15:09:40 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/07/31 15:09:40 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/07/31 15:09:40 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/07/31 15:09:40 wazuh-logcollector: INFO: Started (pid: 14069).
2025/07/31 15:09:42 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/07/31 15:11:42 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/07/31 15:12:02 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/07/31 15:12:02 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/07/31 15:12:02 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/07/31 15:12:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/07/31 15:12:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/07/31 15:12:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/07/31 15:12:02 wazuh-logcollector: INFO: Started (pid: 15932).
2025/07/31 15:12:04 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/07/31 15:20:54 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2025/07/31 15:20:56 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.88.245]:1514/tcp': 'Transport endpoint is not connected'.
2025/07/31 15:21:08 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.88.245]:1514/tcp': 'Transport endpoint is not connected'.
2025/07/31 15:27:36 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/07/31 15:27:38 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/07/31 15:27:38 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/07/31 15:27:38 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/07/31 15:27:38 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/07/31 15:27:38 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/07/31 15:27:38 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/07/31 15:27:38 wazuh-logcollector: INFO: Started (pid: 17839).
2025/07/31 15:27:40 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/07/31 15:41:08 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/07/31 15:41:10 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/07/31 15:41:10 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/07/31 15:41:10 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/07/31 15:41:10 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/07/31 15:41:10 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/07/31 15:41:10 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/07/31 15:41:10 wazuh-logcollector: INFO: Started (pid: 20313).
2025/07/31 15:41:12 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/07/31 15:47:08 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/07/31 15:47:30 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/07/31 15:47:30 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/07/31 15:47:30 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/07/31 15:47:30 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/07/31 15:47:30 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/07/31 15:47:30 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/07/31 15:47:30 wazuh-logcollector: INFO: Started (pid: 1488).
2025/07/31 15:47:33 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/07/31 15:47:56 wazuh-logcollector: INFO: (9204): 'Journald' timestamp was refreshed due to rotation.
2025/08/01 12:58:52 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/08/01 12:58:52 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/08/01 12:58:52 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/08/01 12:58:52 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/08/01 12:58:52 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/08/01 12:58:52 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/08/01 12:58:52 wazuh-logcollector: INFO: Started (pid: 1474).
2025/08/01 12:58:55 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/08/01 13:02:22 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2025/08/01 13:02:23 wazuh-logcollector: WARNING: Process locked due to agent is offline. Waiting for connection...
2025/08/01 13:02:24 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.88.245]:1514/tcp': 'Transport endpoint is not connected'.
2025/08/01 13:02:36 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.88.245]:1514/tcp': 'Transport endpoint is not connected'.
2025/08/01 13:02:48 wazuh-logcollector: INFO: Agent is now online. Process unlocked, continuing...
2025/08/01 13:15:51 wazuh-agentd: ERROR: Connection socket: Connection reset by peer (104)
2025/08/01 13:15:51 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2025/08/01 13:15:52 wazuh-logcollector: WARNING: Process locked due to agent is offline. Waiting for connection...
2025/08/01 13:15:55 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.88.245]:1514/tcp': 'Transport endpoint is not connected'.
2025/08/01 13:16:04 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/08/01 13:16:04 wazuh-agentd: WARNING: (1218): Unable to send message to 'server': Transport endpoint is not connected
2025/08/01 18:19:47 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/08/01 18:19:47 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/08/01 18:19:47 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/08/01 18:19:47 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/08/01 18:19:47 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/08/01 18:19:47 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/08/01 18:19:47 wazuh-logcollector: INFO: Started (pid: 1487).
2025/08/01 18:19:49 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/08/01 18:20:11 wazuh-logcollector: INFO: (9204): 'Journald' timestamp was refreshed due to rotation. `
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:374 at LogCollectorStart(): DEBUG: Socket target for 'last -n 20' -> agent
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:419 at LogCollectorStart(): DEBUG: (9001): Socket target for 'journald' -> agent
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:1236 at set_read(): DEBUG: Socket target for '/var/ossec/logs/active-responses.log' -> agent
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:435 at LogCollectorStart(): INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:1236 at set_read(): DEBUG: Socket target for '/var/log/dpkg.log' -> agent
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:435 at LogCollectorStart(): INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:1236 at set_read(): DEBUG: Socket target for '/var/log/apache2/access.log' -> agent
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:435 at LogCollectorStart(): INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:486 at LogCollectorStart(): INFO: Started (pid: 13005).
2025/07/31 15:01:13 wazuh-logcollector[13005] logcollector.c:487 at LogCollectorStart(): DEBUG: (1961): Files being monitored: 4/1000.
2025/07/31 15:01:13 wazuh-logcollector[13005] lccom.c:511 at lccom_main(): DEBUG: Local requests thread ready
2025/07/31 15:01:15 wazuh-logcollector[13005] read_journald.c:108 at w_journald_can_read(): INFO: (9203): Monitoring journal entries.
2025/07/31 15:02:00 wazuh-logcollector[13005] sig_op.c:49 at HandleSIG(): INFO: (1225): SIGNAL [(2)-(Interrupt)] Received. Exit Cleaning...
2025/07/31 15:09:38 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/07/31 15:09:40 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/07/31 15:09:40 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/07/31 15:09:40 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/07/31 15:09:40 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/07/31 15:09:40 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/07/31 15:09:40 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/07/31 15:09:40 wazuh-logcollector: INFO: Started (pid: 14069).
2025/07/31 15:09:42 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/07/31 15:11:42 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/07/31 15:12:02 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/07/31 15:12:02 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/07/31 15:12:02 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/07/31 15:12:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/07/31 15:12:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/07/31 15:12:02 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/07/31 15:12:02 wazuh-logcollector: INFO: Started (pid: 15932).
2025/07/31 15:12:04 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/07/31 15:20:54 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2025/07/31 15:20:56 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.88.245]:1514/tcp': 'Transport endpoint is not connected'.
2025/07/31 15:21:08 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.88.245]:1514/tcp': 'Transport endpoint is not connected'.
2025/07/31 15:27:36 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/07/31 15:27:38 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/07/31 15:27:38 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/07/31 15:27:38 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/07/31 15:27:38 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/07/31 15:27:38 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/07/31 15:27:38 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/07/31 15:27:38 wazuh-logcollector: INFO: Started (pid: 17839).
2025/07/31 15:27:40 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/07/31 15:41:08 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/07/31 15:41:10 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/07/31 15:41:10 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/07/31 15:41:10 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/07/31 15:41:10 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/07/31 15:41:10 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/07/31 15:41:10 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/07/31 15:41:10 wazuh-logcollector: INFO: Started (pid: 20313).
2025/07/31 15:41:12 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/07/31 15:47:08 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/07/31 15:47:30 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/07/31 15:47:30 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/07/31 15:47:30 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/07/31 15:47:30 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/07/31 15:47:30 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/07/31 15:47:30 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/07/31 15:47:30 wazuh-logcollector: INFO: Started (pid: 1488).
2025/07/31 15:47:33 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/07/31 15:47:56 wazuh-logcollector: INFO: (9204): 'Journald' timestamp was refreshed due to rotation.
2025/08/01 12:58:52 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/08/01 12:58:52 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/08/01 12:58:52 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/08/01 12:58:52 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/08/01 12:58:52 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/08/01 12:58:52 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/08/01 12:58:52 wazuh-logcollector: INFO: Started (pid: 1474).
2025/08/01 12:58:55 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/08/01 13:02:22 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2025/08/01 13:02:23 wazuh-logcollector: WARNING: Process locked due to agent is offline. Waiting for connection...
2025/08/01 13:02:24 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.88.245]:1514/tcp': 'Transport endpoint is not connected'.
2025/08/01 13:02:36 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.88.245]:1514/tcp': 'Transport endpoint is not connected'.
2025/08/01 13:02:48 wazuh-logcollector: INFO: Agent is now online. Process unlocked, continuing...
2025/08/01 13:15:51 wazuh-agentd: ERROR: Connection socket: Connection reset by peer (104)
2025/08/01 13:15:51 wazuh-agentd: ERROR: (1137): Lost connection with manager. Setting lock.
2025/08/01 13:15:52 wazuh-logcollector: WARNING: Process locked due to agent is offline. Waiting for connection...
2025/08/01 13:15:55 wazuh-agentd: ERROR: (1216): Unable to connect to '[192.168.88.245]:1514/tcp': 'Transport endpoint is not connected'.
2025/08/01 13:16:04 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2025/08/01 13:16:04 wazuh-agentd: WARNING: (1218): Unable to send message to 'server': Transport endpoint is not connected
2025/08/01 18:19:47 wazuh-logcollector: INFO: Monitoring output of command(360): df -P
2025/08/01 18:19:47 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
2025/08/01 18:19:47 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20
2025/08/01 18:19:47 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'.
2025/08/01 18:19:47 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'.
2025/08/01 18:19:47 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/apache2/access.log'.
2025/08/01 18:19:47 wazuh-logcollector: INFO: Started (pid: 1487).
2025/08/01 18:19:49 wazuh-logcollector: INFO: (9203): Monitoring journal entries.
2025/08/01 18:20:11 wazuh-logcollector: INFO: (9204): 'Journald' timestamp was refreshed due to rotation. `
Can you figure out the problem for me? Thank you.
Vào lúc 15:04:30 UTC+7 ngày Thứ Sáu, 1 tháng 8, 2025, Md. Nazmur Sakib đã viết:
Message has been deleted
Md. Nazmur Sakib
Aug 6, 2025, 12:51:44 AM8/6/25
to Wazuh | Mailing List
I cannot see any issues in your logs. To get more information on this, I will request you to enable debug log on the agent and share it with me.
You need to edit the /var/ossec/etc/local_internal_options.conf file and add this to the file.
logcollector.debug=2
Ref: https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#logcollector
Then restart the agent to apply changes.
systemctl restart wazuh-agent
Wait for 5 minutes.
Meanwhile, generate some logs in Apache access.log.
sudo cat /var/ossec/logs/ossec.log | grep -i -E "wazuh-logcollector|error|warn"
Looking forward to your update on this.
Reply all
Reply to author
Forward
0 new messages