Not receiving IIS Logs

281 views
Skip to first unread message

Usman Jut

unread,
Jun 27, 2022, 3:04:27 AM6/27/22
to Wazuh mailing list
Hy everyone!
Hope everyone is doing good!

I am having trouble when receiving IIS logs at the manager. I'm using this configuration (I have put a different path, the one I replicated the issue with, for a better understanding of the problem):
<localfile> <log_format>iis</log_format> <location>/path/to/file/*</location> </localfile>

but the logs, only arrive the day that the agent is restarted, meaning that the logs are being sent only for a day, but the following day there will not be any iis logs unless we restart the agent. Other logs are being received correctly.

Kindly let me know if someone knows about it that how can i fix it?

Thank you for your precious time!

victor....@wazuh.com

unread,
Jun 27, 2022, 3:41:34 AM6/27/22
to Wazuh mailing list

Hello ujut,

At agent start time, logcollector will check all the files that fit your regex. You can see all the files that it is monitoring in the ossec.log file:

2022/06/27 07:22:14 wazuh-agent: INFO: (1957): New file that matches the 'C:\Users\vagrant\Testing\*' pattern: 'C:\Users\vagrant\Testing\testing1.log'.
...
2022/06/27 07:22:14 wazuh-agent: INFO: (1957): New file that matches the 'C:\Users\vagrant\Testing\*' pattern: 'C:\Users\vagrant\Testing\testing2.log'.

After this process, new files that fit your regex will not be monitored by default.

This behavior can be changed by enabling logcollector.force_reload in the agent’s local_internal_option file:

logcollector.force_reload=1

This option will force to close and reopen monitored files after logcollector.reload_interval seconds (64).
In your case if your IIS is generating a different log file for a day the best approach will be to use 24 hours intervals:

...
logcollector.reload_interval=86400

Finally, restart your agent in order to apply new changes.

If you have any doubt do not hesitate to ask.

Usman Jut

unread,
Jun 27, 2022, 3:56:59 AM6/27/22
to Wazuh mailing list
Thank you for you response.
Actually i have installed round about 200 wazuh-agents and multiple clusters. It's difficult for me to configure this on every agent local_internal_option file. 
Is there any way i can do this configuration from WAZUH Manager? Or from any centrilize point?

Thanks for your time!

victor....@wazuh.com

unread,
Jun 27, 2022, 7:15:57 AM6/27/22
to Wazuh mailing list

Reviewing with the team the workaround of my last message, it seems that the force_reload option will not fit properly in this scenario.
That option will only force us to reopen already monitored files. Logcollector, by default, scans the wildcards every 64 seconds (logcollector.vcheck_files), so the behavior that you specified is not expected.

I am trying to replicate your issue in my local environment.
Meantime please, share with us:

  • The exact localfile configuration

  • All the logs related to this issue in the ossec.log of the agent

Is there any way i can do this configuration from WAZUH Manager? Or from any centrilize point?

Regarding this question, it is not possible. If you need to change this file you need to do it manually or use an automation tool

Reply all
Reply to author
Forward
0 new messages