Hello
Alejandro,
To troubleshoot the issue, I would need your help by providing me with few information about the steps and configurations that you have made.
Can you please share the custom rule created from
local_rules.xml?
I would need you to ensure that you have the name of the event channel in the
location field and
eventlog as the log format within the
localfile block in the
ossec.conf file of your agent.
Exmaple:
<localfile>
<location>name_of_the_event_channel</location>
<log_format>eventlog</log_format>
</localfile> Reference:
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/configuration.html#configuring-log-collection-for-different-operating-systemsAlso, could you please check if you can see the logs from Windows Event Viewer?
If the logs are visible, enable
archive.json by setting
<logall_json>yes</logall_json>, and share the logs related to that application by executing the following command:
cat /var/ossec/logs/archives/archives.json | grep keyword
Note: Make sure to disable the archives.json after the analysis as it consumes significant storage resources on the Wazuh server over time.
Please share the findings here, so that we can further analyze what is causing the issue.
Let me know!