Can't find syslogs after update to 4.8.1

[David Brindley]

I am using Kiwi syslog to forward logs into wazuh. Before the update to 4.8 I was able to see the syslogs under the events page of the agent, but after the update they are not longer showing up.

Thanks,

David Brindley

[Ariel Ojeda]

Hi David,

I hope this message finds you well!

Could you please let me know if you are sending the logs directly to the Wazuh Manager or using a Syslog Server with a Wazuh Agent installed to push the logs to the Manager?

Could you also please let me know if you see any errors in the logs of the Manager/Agent?

grep -iE "error|warn|crit" /var/ossec/logs/ossec.log

Could you please let me know how are you visualizing the events in the Dashboard? As the options have changed in the latest version.

I'll be waiting for more information.

[David Brindley]

Hi Ariel,

We are using Kiwi Syslog V9 on a Windows server with a Wazuh agent installed. I'm not seeing any errors and logs were being ingested to Wazuh before the update. I did not see any errors related to the wazuh agent Kiwi is installed on. Before the update I would open the agent in the Wazuh dashboard, and then go to the events tab. There I saw the syslogs along with the Windows event logs. After the updated, I still go to the agent in the dashboard and expand the FIM: Recent events window. I still see the Windows event logs but not the syslogs. 

Thanks,

David Brindley

[Ariel Ojeda]

Hi David,

Sorry for the delay with this!

Please note that the menus have changed in version 4.8.0 and what was previously found in the Security Events dashboard (Every alert generated by Wazuh) can now be found in the Threat Hunding Dashboard under the Threat Intelligence section of the Menu.

The FIM (File Integrity Monitoring) menu only shows events from the Syscheck module, as it applies a filter to the visualization. You should not find Syslog events in the FIM dashboard. Have you created any decoders/rules for the logs ingested from Kiwi? You can add a filter to only show said events by using the "Search" box, using the following syntax rule.id: rulenumber.

Could you please open the Windows Agent log and search for errors or warnings there? The grep command I shared before is for Linux agents. For Windows, the logs can be found in the C:\Program Files (x86)\ossec-agent\ossec.log file, you can also access it using the Windows Management tool which you can access by running the executable win32ui.exe located in the same folder. From there in the View-View logs option you can access the agent logs. Once open with either option, you can search in the file for messages indicating any type of errors.

I hope this helps!