Is it possible to add old system logs to the wazuh agent?

[Prince]

I wanted to share an update on the troubleshooting I’ve been doing regarding the Wazuh agent log replay for /var/log/old_replay.log.

Objective:
To replay older log data through Wazuh for analysis and alert generation.

Actions Taken:

1. Added log file to Wazuh configuration

   • Updated /var/ossec/etc/ossec.conf to include:

     <localfile> <location>/var/log/old_replay.log</location> <log_format>syslog</log_format> </localfile>
2. sudo tail -f /var/ossec/logs/ossec.log

• 2025/11/05 12:49:50 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/old_replay.log'.
  
  

• The agent is now analyzing /var/log/old_replay.log.

• No critical startup errors remain.

• Waiting to confirm that events from the replayed file appear in the Wazuh dashboard (still monitoring).

[Olamilekan Abdullateef Ajani]

Hello Prince,

I see what you did, by adding the old log file to the localfile configuration, so the agent can read the logs. Yes the agent would start listening for logs to be written to the file old_replay.log which explains the logcollector seen " 2025/11/05 12:49:50 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/old_replay.log'."

But that is as far as it goes, because the agent would only collect newly written logs, not the old log that has been sitting in the file before you added that configuration to the localfile.

If you need those old logs ingested by the agent, you may need to create a fresh file, add it through the localfile, then write a script to parse the logs line by line to the newly created file from the old_replay.log so the agent can start ingesting the logs.

I hope you understand this. That is the only way you are able to get the agents to read from the old logs.

You can tail the logs from archives.json on the wazuh manager to see if the logs are being ingested. First follow the documentation here to enable archives, once that has been set, then catch the logs from the file on the wazuh manager with: 
tail -f /var/ossec/logs/archives/archives.json | grep old_replay.log

Please let me know if you require further clarification.

[Prince]

Thanks for your helpful explanation on Nov 5 — that clarified why the agent only picks up new writes. Could you please provide a step-by-step procedure (and a ready-to-run script or simple copy/paste commands) that will let me replay the old file so the Wazuh agent ingests those historical lines?

If you can paste a small example script and one-liner commands I can run directly (with sudo), that would be perfect. Also please include what to watch for in the logs if something goes wrong (e.g., queue flood messages).

Thanks again — I appreciate your help.

Best,
Prince

[Olamilekan Abdullateef Ajani]

Hello Prince,

Not very skilled at scripting, but you can do something like the block below using Bash:

#!/bin/bash
old_file="/path/to/old.log"
new_file="/path/to/new.log"

while IFS= read -r line; do
    echo "$line" >> "$new_file"
done < "$old_file"

The above reads line by line from the old file and appends it to the new file as is.

Make the file executable before you run, you can even time it to read the files at maybe every 30 seconds to avoid flooding. This would depend entirely on the size of the logs you are trying to ingest.

Please use the script above as sample, you can modify it at will to suit your use case.

Regards,