osquery tracking both results.log and snapshot
94 views
Skip to first unread message
ranjit nepal
Sep 6, 2022, 3:45:30 AM9/6/22
to Wazuh mailing list
Hi,
I am running osqueryd in my windows and two output files are produced.
results.log and snapshot.log
However, it seems like i can only track one file through wazuh osquery with following attribute.
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
Is there a way to keep track of both snapshot and results.log. I tried giving both values in separate log_path but only the second one was tracked.
--
Thanks and Regards,
Ranjit
Pedro Nicolás Gomez
Sep 6, 2022, 9:12:27 AM9/6/22
to Wazuh mailing list
Hi,
Thank you for using Wazuh.
Currently wazuh's osquery module only accepts one log_path.
But I'm thinking that you could try to monitor the other file using logcollector, configuring it through a localfile block:
<localfile> Thank you for using Wazuh.
Currently wazuh's osquery module only accepts one log_path.
But I'm thinking that you could try to monitor the other file using logcollector, configuring it through a localfile block:
<location>C:\the\another\log\file</location>
<log_format>syslog</log_format>
</localfile>
You may need to change the log_format depending on the output file.
Here I share a link with information about localfile configuration:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
Here I share a link with information about localfile configuration:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html
I hope it helps.
Best regards, Pedro Nicolas.
Best regards, Pedro Nicolas.
Reply all
Reply to author
Forward
0 new messages