Basic installation : Agent do not send their log files to the server

55 views
Skip to first unread message

marieh esnault

unread,
Mar 16, 2025, 11:51:35 PM3/16/25
to Wazuh | Mailing List
Hello all, thanks in advance for your help
I'm testing a very simple configuration : one server wazuh 4.11.0 on ubuntu 22.04 and two agents wazuh 4.11 (windows 10 and windows 11) all connected on a private network 192.168.15.0/24 (Vmware Worstation 17). I want to send WindowsDefender log in order to detect a malware for example. 
The manager, indexer and dashboard are up and runing. Ports are all openened. 
The agents are clearly visible in the dashboard and I access to the FIM and CIS for both. The agent are up and runing, scan has been done at stating. Monitoring is activated.
But when I simply download netcat to generate a WindowsDefender event, I see the event in the agent WindowsDefender log viewer but in the wazuh agent logs nothing and obviously nothing comes up on the server. I should point out that I disabled the Windows firewalls on the network with the Wazuh server. 
 I tried on Windows 10 and Windows 11 it's the same. 
Attached : the 3 server configuration files and screenshot (run and ports)
                    dashboard screen with <localfile> for the group
                    agent ossec.log  showing WindowsDefender activated   
                    WindowsDefender Event log showing the malware detected
Note : I try with sysmon and it was the same. 
I have trouble in my configuration but I don't see where.
Please, help me, I'been working on that problem for days and days.
Thanks
Marie
screenshot.docx
ossec.conf
Dashboard.docx
agent_ossec.log.docx
opensearch.yml
opensearch_dashboards.yml

Bony V John

unread,
Mar 17, 2025, 1:48:12 AM3/17/25
to Wazuh | Mailing List

Hi,

Based on your input, Windows Defender alerts are not appearing on the Wazuh dashboard. However, they are present in the Windows Defender logs, and you have already configured the Wazuh agent to monitor Windows Defender events via centralized configuration. The agent logs also show that the event is being analyzed properly.

I have tested the same use case, and it is working fine for me. There is no need to use Sysmon for this. You can refer Wazuh Windows defender log collection documentation for this. You can follow the steps below and share the output of the following commands with us for further analysis:

  1. Run the following command on the Wazuh manager CLI to check if Windows Defender events are being written to the alerts.json file:

    cat /var/ossec/logs/alerts/alerts.json | grep "Microsoft-Windows-Windows Defender/Operational"

  2. If the above command returns output, check the status of Filebeat by running:

    filebeat test output

  3. If Filebeat is not working, share the full output of the following command, which checks for error entries in the Filebeat log file:

    cat /var/log/filebeat/filebeat | grep -iE "error|warn|crit|fatal"

  4. If Filebeat is running correctly, the issue might be related to the Wazuh indexer. To check the health of the Wazuh indexer cluster, execute the following command:

    curl -k -u admin:<admin-password> -XGET "https://<indexer-ip>:9200/_cluster/health?pretty"

    Replace <admin-password> and <indexer-ip> with your actual Wazuh indexer credentials.

  5. To check the Wazuh indexer logs for any warnings or errors, run:

    cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -iE "error|warn|crit|fatal"

  6. If there are no alerts, enable the log_all option to verify if the Wazuh agent is forwarding the event to the Wazuh manager. Trigger the event again from the Windows agent, then run the following command to check if the logs are reaching the Wazuh manager:

    cat /var/ossec/logs/archives/archives.json | grep "Microsoft-Windows-Windows Defender/Operational"

Please share the outputs of these commands so we can analyze the issue further.

Reply all
Reply to author
Forward
0 new messages