IIS server logs and WAF logs

[Rabail Naseer]

Hello Team,

I am working on wazuh 4.1 and want to pull IIS logs and web application firewall logs into wazuh server

I am using below configuration for iis logs on ossec_agent file 

<localfile>

    <location>C:\location\of\LogFiles\*.log</location>

    <log_format>iis</log_format>

  </localfile>

And using below config for WAF logs on ossec_agent 

<localfile>

    <location>E:\WAFLog\*.log</location>

    <log_format>syslog</log_format>

  </localfile>

But can't see any log on dashboard

web application firewall is AQTRONIX WebKnight 4.5 

[Jesus Linares]

Hi,

You should review the full event pipeline to find the issue: collecting, reception, rule matching, and indexing.

Collecting

Review if your agent is reading the log that you are configuring. You can read the ossec.log file and search for "localfile" entries. It could be a good idea to enable debug mode.

According to the documentation:
> Wildcards can be used on Linux and Windows systems, if the log file doesn’t exist at ossec-logcollector start time, such log will be re-scanned after logcollector.vcheck_files seconds.

Reception

You can review the events that the manager receives by enabling the logall_json setting. Enable it and verify that you see the events in the /var/ossec/logs/archives/archives.json file.

Rule matching

Once you know that you are receiving the events, you should review if the event is properly decoded and matching a rule. To do this, you can paste the raw events (from the archives.json file) to the tool logtest under /var/ossec/bin.

If any rule is triggered, you should review the decoders/rules in order to fix them or create new ones.

Indexing

Finally, if the alert generated has a level equal to or higher than 3, you should be able to see it in Kibana > Discover section. If you can't find them, review the filebeat/logstash/elasticsearch logs, it could be an issue with the index template.

Please, try to identify where is the issue and we will try to help you.

I hope it helps.

[Rabail Naseer]

I think its issue on collecting because the agent is not reading log files. I have read the ossec.log file and search for localfile entries but found no any entry at ossec.log

[Rabail Naseer]

waiting for your response?

[Jesus Linares]

Hi,

Sorry for the late reply.

I did this test:

1. Configure the Wazuh agent:

<localfile>
  <log_format>syslog</log_format>
  <location>C:\test\*.log</location>
</localfile>

2. Create C:\test\1.log and C:\test\2.log.

3. Start Wazuh agent

4. Create C:\test\3.log.

I see the following logs in the Wazuh agent log file:

• 2021/05/26 10:20:52 ossec-agent: INFO: (1950): Analyzing file: 'C:\test\1.log'.
• 2021/05/26 10:20:52 ossec-agent: INFO: (1950): Analyzing file: 'C:\test\2.log'.
  
• 2021/05/26 10:21:57 ossec-agent: INFO: (1957): New file that matches the 'C:\test\*.log' pattern: 'C:\test\3.log'.
  

If you don't see that kind of log, the issue is in the Wazuh agent.

Is your agent reading files that exist before the start time? 

I will do more checks.

[Jesus Linares]

Hi,

In order to reproduce your issue, could you give us the exact path of the folder that you are monitoring and the exact file names? It could be an issue with the "wildcard expander".

Thanks.