Event Log Service Shutdown(Event ID 1100) not present in Wazuh logs
36 views
Skip to first unread message
Alen Mustafic
Sep 9, 2025, 8:03:45 AM (11 days ago) Sep 9
to Wazuh | Mailing List
As the subject says, I am testing on my workstation stopping Event Log service and although this event is present locally in Security audit logs, I cant find the same log being forwarded to Wazuh. This should be s serious security concern.
Any suggestions?
Any suggestions?
Franco Giovanolli
Sep 9, 2025, 10:45:33 AM (11 days ago) Sep 9
to Wazuh | Mailing List
Hi Alen,
Thanks for bringing this up — you're right, stopping the Event Log service is definitely something worth keeping an eye on.
If you’re seeing the event locally and other audit logs are reaching the manager, one possibility is that the event is being collected but there’s no rule matching it — so no alert is generated.
To confirm that, you can temporarily enable the `archives.log` on the manager. That way, you can check if the raw log is arriving. If it’s there, then it’s just a matter of writing a custom rule to alert on it.
Let us know if this helps.
Cheers,
Franco
Thanks for bringing this up — you're right, stopping the Event Log service is definitely something worth keeping an eye on.
If you’re seeing the event locally and other audit logs are reaching the manager, one possibility is that the event is being collected but there’s no rule matching it — so no alert is generated.
To confirm that, you can temporarily enable the `archives.log` on the manager. That way, you can check if the raw log is arriving. If it’s there, then it’s just a matter of writing a custom rule to alert on it.
Let us know if this helps.
Cheers,
Franco
Alen Mustafic
Sep 10, 2025, 10:01:09 AM (10 days ago) Sep 10
to Wazuh | Mailing List
Hi Franco,
Tnx for response. I enabled archives.log and archives.json but eventID 1100 is not present in raw logs. Seems like Wazuh agent is not able to forward this event because od Event Log Service being down.
Tnx for response. I enabled archives.log and archives.json but eventID 1100 is not present in raw logs. Seems like Wazuh agent is not able to forward this event because od Event Log Service being down.
Franco Giovanolli
Sep 16, 2025, 5:56:57 AM (4 days ago) Sep 16
to Wazuh | Mailing List
Hi Alen,
Regards,
Franco.
Sorry for the delay in my response.
I’ll reach out to the team in charge of the agent to check on this case. As soon as I have an answer, I’ll get back to you.
Regards,
Franco.
Reply all
Reply to author
Forward
0 new messages