Apache logs not showing up on wazuh dashboard

[Milan Patel]

Hello,

I have installed new elasticsearch with wazuh and now trying to forward logs from one linux apache server to wazuh dashboard but not showing up. I have checked this location and I can see the logs are coming in.

/var/ossec/logs/archives/2023/Feb/ (under this directory I have two types of files created one is .json and another is .log) Which One is going to read by wazuh ? the file name is ossec-archive-06.json

ossec-archive-06.log

from the ossec-archive-06.json file I have this kind of log generated.

{"timestamp":"2023-02-06T17:29:26.292-0500","agent":{"id":"000","name":"wazuhtest"},"manager":{"name":"wazuhtest"},"id":"1675722566.79404239","full_log":"Feb  6 17:27:08 centos-1-test httpd: 10.0.49.42 - - [06/Feb/2023:17:27:08 -0500] \"GET /milan.php HTTP/1.1\" 404 207","predecoder":{"program_name":"httpd","timestamp":"Feb  6 17:27:08","hostname":"centos-1-test"},"decoder":{"name":"apache-errorlog"},"location":"/var/log/syslog"}

and fromossec-archive-06.log file this kind of log :

2023 Feb 06 17:29:26 centos-1-test->/var/log/syslog Feb  6 17:27:08 centos-1-test httpd: 10.0.49.42 - - [06/Feb/2023:17:27:08 -0500] "GET /milan.php HTTP/1.1" 404 207

What should I do to get logs shows up on wazuh dashboard ?

Please let me know what else info if you need from my end.

Thanks,

[Mariano Koremblum]

Hi Milan, (is that your name?)

First, new incoming logs can either arrive at /var/ossec/logs/archives/archives.json and/or at /var/ossec/logs/archives/archives.log, depending on whether you have enabled or not the logall_json and logall options, respectively, on your manager’s ossec.conf file. The files under “2023” or any other year/month are old logs (already rotated(, which can be from the day before or some months ago.

Second, supposing that the log is the following:

Feb 6 17:27:08 centos-1-test httpd: 10.0.49.42 - - [06/Feb/2023:17:27:08 -0500] \"GET /milan.php HTTP/1.1\" 404 207

If such a log is tested with our wazuh-logtest tool, the following is obtained:

# /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.3.10 Type one log per line Feb 6 17:27:08 centos-1-test httpd: 10.0.49.42 - - [06/Feb/2023:17:27:08 -0500] \"GET /milan.php HTTP/1.1\" 404 207 **Phase 1: Completed pre-decoding. full event: 'Feb 6 17:27:08 centos-1-test httpd: 10.0.49.42 - - [06/Feb/2023:17:27:08 -0500] \"GET /milan.php HTTP/1.1\" 404 207' timestamp: 'Feb 6 17:27:08' hostname: 'centos-1-test' program_name: 'httpd' **Phase 2: Completed decoding. name: 'apache-errorlog' **Phase 3: Completed filtering (rules). id: '30100' level: '0' description: 'Apache: Messages grouped.' groups: '['apache', 'web']' firedtimes: '1' mail: 'False'

Here we can see that a rule is being matched (30100), but it assigns an alert level equal to 0 to the event. By default, only events that have an alerting level equal to or higher than 3 are displayed on the dashboard. You should consider whether you really want to see such events on the dashboard or not. In case you do want to see them, you should either modify (overwrite) the rule 30100 or create a new custom rule to inherit from it and rise its alert level.

To have a better understanding of these topics, I strongly recommend you to read the following links:

• https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html
• https://documentation.wazuh.com/current/user-manual/manager/alert-threshold.html
• https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html#log-alert-level
• https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall
• https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html
• https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
• https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
• https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/index.html

I hope that my answer helps you! Let us know if you still need further guidance,

Best regards,

Mariano Koremblum

​