Hello!
Thanks for using Wazuh!
For the activity logs, the document states that after enabling this logging method, KES will start saving such logs into a TXT file. Which could be easily ingested in Wazuh by using the
logcollector module.
For example:
<localfile>
<location>C:\logtest\log.txt</location>
<log_format>syslog</log_format>
</localfile>
This module would ingest all events saved into C:\logtest\log.txt.
Now for the application logs, the document states that KES is capable of saving such logs both into the Windows Event Log and/or into a TXT file.
In case you wanted to ingest these events using the Windows Event Log, you'll need to add a new localfile (logcollector) module defining the correct event channel as explained
here. You can get the "channel" you need, by checking one of these KES events in the Windows' Event viewer. Once you find one KES log, make sure to copy the content of its
channel field
For example, here's the channel field in some random Windows event of mine:
And next would be a localfile module that fetches events from the Security channel:
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
</localfile>
Notice here that location must contain the channel name from the event and log_format must contain eventchannel.
NOTE: Have in mind that in case these events are stored in the of the next channels, Wazuh already has modules to fetch them:
- Application
- System
- Security (By default has a query to filter some innocuous Windows events).
On the other hand, in case you wanted to ingest KES application logs from the TXT file, you would need to apply the same configuration mentioned for the activity logs. Make sure to set the correct file path.
I hope this helps! Let me know how everything goes!