Log_all not logging all
46 views
Skip to first unread message
felixm
Sep 11, 2025, 2:49:06 PM (9 days ago) Sep 11
to Wazuh | Mailing List
Hi all,
I have a wazuh cluster with 3 sites. There are 6 servers, each have the index and server rolls installed.
For the server role the servers are paired 2 at each site. For the index roll all 6 are clustered. There is a HAProxy server at each site that is load balancing syslog traffic between each of the servers.
I have log_all turned on and on pair in one site fails to capture any syslogs. I have used TCPDump to confirm that traffic is hitting not only the proxy server but also being recieved by each of the wazuh servers.
I have a wazuh cluster with 3 sites. There are 6 servers, each have the index and server rolls installed.
For the server role the servers are paired 2 at each site. For the index roll all 6 are clustered. There is a HAProxy server at each site that is load balancing syslog traffic between each of the servers.
I have log_all turned on and on pair in one site fails to capture any syslogs. I have used TCPDump to confirm that traffic is hitting not only the proxy server but also being recieved by each of the wazuh servers.
I have tried restarting the Wazuh service and that does nothing. Yesterday I restarted the servers and it captured some logs but only for a short time.
What can I do to further trouble shoot?
Thank you
What can I do to further trouble shoot?
Thank you
Jose Camargo
Sep 11, 2025, 7:38:17 PM (9 days ago) Sep 11
to Wazuh | Mailing List
Hi,
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
The logall option does not enable Wazuh to receive syslog events, nor shows them in the dashboard. For this, you have to configure the <remote> option as seen here: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
Where:
- <connection> specifies the type of connection to accept. This value can either be secure or syslog.
- <port> is the port used to listen for incoming syslog messages from endpoints. We use port 514 in the example above.
- <protocol> is the protocol used to listen for incoming syslog messages from endpoints. The allowed values are either tcp or udp.
- <allowed-ips> is the IP address or network range of the endpoints forwarding events to the Wazuh server. In the example above, we use 192.168.2.15/24.
- <local_ip> is the IP address of the Wazuh server listening for incoming log messages. In the example above, we use 192.168.2.10.
To confirm Wazuh is reading them, you can enable the <logall_json>yes</logall_json> option in the /var/ossec/etc/ossec.conf file. Then, check if you get the logs in /var/ossec/logs/archives/archives.json.
felixm
Sep 12, 2025, 12:16:37 PM (8 days ago) Sep 12
to Wazuh | Mailing List
I guess I should been more explisit. I have concgured the log_all settings and enabled the remote for syslog. The logs are catptured for some time but then they stop.
felixm
Sep 15, 2025, 4:59:09 PM (5 days ago) Sep 15
to Wazuh | Mailing List
Here is my ossec.conf file:
The log files are being generated, I even turned logging off and the rolled the files over and then turned it back on.
Running TCPdump on the wazuh servers shows that syslog is being receieved
Filebeat is configured also
Filebeat is configured also
But unlike the other sites in the cluster nothing in logged
Working example:
Not working:
Working example:
Not working:
According to filebeat log I do not see any issues
Reply all
Reply to author
Forward
0 new messages