Cannot capture all Windows log problem

121 views
Skip to first unread message

Lanny

unread,
May 25, 2023, 10:10:25 PM5/25/23
to Wazuh mailing list
Hi, after installed Wazuh server and deployed its agent on the windows server 2019 endpoint, after checked the log on wazuh server dashboard, the no. of log on dashboard shown is fewer than the endpoint, especially the security log, I checked it only shows the login/logout message, or the following event id

4624, 4634, 4719 and 4656


We also updated the configuration of both endpoint and server

Endpoint (C:\Program Files (x86)\ossec-agent\ossec.conf)

  <localfile>
    <location>Security</location>
    <log_format>eventlog</log_format>
  </localfile>


Server (/var/ossec/etc/ossec.conf)

<ossec_config>
   <global>
         ...
         <logall>yes</logall>
         <logall_json>yes</logall_json>
         ...
    </global>

    <alerts>
          <log_alerts_level>2</log_alert_level>
          ...
    </alerts>
</ossec_config>


After restarted both of service in endpoint and server and wait half of the day and login wazuh server UI again, it stills shown the above log type... Is there any missing configuration on both side? We expect the all windows log are logged to the wazuh server and can display on dashboard properly...


The installation of wazuh server are using AIO method of the following 

curl -sO https://packages.wazuh.com/4.4/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Please give me some suggestion, thank you!

Maxim Parpaley

unread,
May 25, 2023, 10:19:23 PM5/25/23
to Wazuh mailing list
Hi Lanny,

I think your problem that you want to see all log archives in kibana dasboard.
Sorry if it not help much for you.

Regards,

Lanny

unread,
May 25, 2023, 10:51:13 PM5/25/23
to Wazuh mailing list

Hi Maxim, after point 2, I don't understand why they do these, would you mind to explain more?

Maxim Parpaley 在 2023年5月26日 星期五上午10:19:23 [UTC+8] 的信中寫道:

Lanny

unread,
May 25, 2023, 11:51:13 PM5/25/23
to Wazuh mailing list
Hi Maxim, sorry again, I found the log file in wazuh server of the following path

/var/ossec/logs/archives/2023/May/ossec-archive-26.log

In this file, I can find all log but also cannot display on the wazuh server...

Lanny 在 2023年5月26日 星期五上午10:51:13 [UTC+8] 的信中寫道:

Lanny

unread,
May 26, 2023, 4:02:17 AM5/26/23
to Wazuh mailing list
Hi, I found the alternative way to do it by forum


thank you!

Lanny 在 2023年5月26日 星期五上午11:51:13 [UTC+8] 的信中寫道:

Maxim Parpaley

unread,
May 26, 2023, 5:17:32 AM5/26/23
to Wazuh mailing list
Hi Lanny,

In point 2, all log archives from agent will save in elasticserach though filbeat.
You must enable log archive in filebeat, add new index from dashboard and you can see archives log from dashboard.

Regards,
Reply all
Reply to author
Forward
0 new messages