Configuration
98 views
Skip to first unread message
Satwika sree
Mar 23, 2023, 7:20:17 AM3/23/23
to Wazuh mailing list
Hi all,
I added the application log configuration, Active Directory configuration, and TCP log configuration to the centralized agent configuration on the wazuh manager, as shown below:
<localfile>
<log_format>syslog</log_format>
<location>C:\Windows\ADWS\*.log</location>
<alias>ADWS logs</alias>
<frequency>10</frequency>
</localfile>
<location>C:\Windows\ADWS\*.log</location>
<alias>ADWS logs</alias>
<frequency>10</frequency>
</localfile>
<localfile>
<location>C:\inetpub\logs\LogFiles\*.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>Microsoft-Windows-TCPIP/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>C:\Windows\System32\LogFiles\HTTPERR</location>
<log_format>eventchannel</log_format>
</localfile>
<location>C:\inetpub\logs\LogFiles\*.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>Microsoft-Windows-TCPIP/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>C:\Windows\System32\LogFiles\HTTPERR</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>C:\inetpub\logs\LogFiles\*.log</location>
<log_format>iis</log_format>
</localfile>
<location>C:\inetpub\logs\LogFiles\*.log</location>
<log_format>iis</log_format>
</localfile>
However, we are not receiving any application alerts in the wazuh manager.
Upon checking the agent log file, I found errors as mentioned below:
wazuh-agent: ERROR: Couldn't open directory 'C:\Windows\ADWS' due to: The system cannot find the file specified.
wazuh-agent: ERROR: Couldn't open directory 'C:\inetpub\logs\LogFiles' due to: The system cannot find the path specified.
wazuh-agent: ERROR: Couldn't open directory 'C:\Logs' due to: The system cannot find the file specified.
wazuh-agent: ERROR: Couldn't open directory 'C:\Logs' due to: The system cannot find the file specified.
wazuh-agent: ERROR: Couldn't open directory 'C:\inetpub\logs\LogFiles' due to: The system cannot find the path specified.
wazuh-agent: ERROR: Couldn't open directory 'C:\Logs' due to: The system cannot find the file specified.
wazuh-agent: ERROR: Couldn't open directory 'C:\Logs' due to: The system cannot find the file specified.
wazuh-agent: ERROR: Error in LookupAccountSid.
Please advise on how to resolve these errors and start receiving application alerts in the wazuh manager.
Regards,
Satwika.
Selu López
Mar 23, 2023, 8:56:02 AM3/23/23
to Wazuh mailing list
Hi Satwika,
Please make sure that the .log files are in the path indicated in the configuration. For example, for the inetpub (IIS) folder, according to your configuration (C:\inetpub\logs\LogFiles\*.log) the log files should be here:
C:\inetpub\logs\LogFiles\u_ex230321.log
C:\inetpub\logs\LogFiles\u_ex230322.log
C:\inetpub\logs\LogFiles\u_ex230323.log
However, usually those IIS logs are inside folders (for example W3SVC1):
C:\inetpub\logs\LogFiles\W3SVC1\u_ex230321.log
C:\inetpub\logs\LogFiles\W3SVC1\u_ex230322.log
C:\inetpub\logs\LogFiles\W3SVC1\u_ex230323.log
So your configuration for inetpub should look similar to this:
<localfile>
<location>C:\inetpub\logs\LogFiles\W3SVC1\*.log</location>
<location>C:\inetpub\logs\LogFiles\W3SVC1\*.log</location>
<log_format>iis</log_format>
</localfile>
</localfile>
Check the other log paths in case the same thing happens since this could be the reason for the error. Also, take a look at this issue where a problem with folder wildcards in Windows is reported (if you want to make use of them):
I hope this helps you solve the problem. Let me know otherwise.
Regards,
Selu.
Reply all
Reply to author
Forward
0 new messages