Monitoring Exchange OWA Logfiles

[Dirk Westenhaus]

Hello everybody,

I need to be monitoring Exchange/IIS logs in (please note the double wildcards):

1. D:\Exchange\Logging\HttpProxy\*\*.LOG and
2. D:\Exchange\Logging\Mailbox\*\*.LOG.

I have seen the issue https://github.com/wazuh/wazuh/issues/12351 , and indeed it when I configure the localfile with the two wildcards, it yields an error in the agent log:

Configuration:



<localfile>

  
<location>D:\Exchange\Logging\HttpPProxy\*\*.LOG</location>

  <log_format>iis</log_format>

</localfile>

Error:

2023/03/24 13:16:20 wazuh-agent: INFO: (1141): Glob error. Invalid pattern: 'D:\Exchange\Logging\HttpProxy\*\*.log' or no files found.

So I was trying to be clever and work around the open issue 12351 by specifying the subdirectories individually, like D:\Exchange\Logging\HttpProxy\AutoDiscover\*.LOG.

But, even the first of these many subdirectories are not being read, because they are too many.

Error:

2023/03/24 13:16:20 wazuh-agent: WARNING: (1960): File limit has been reached (200).

Anyway: How does Wazuh handle log rotation? The logs are being rotated every 10MB, can Wazuh handle that?

Thank you for all hints.

Kind regards, Dirk.

in Elasticsearch/Filebeat it is

[Leonardo Quiceno]

Hi Dirk,

I hope this email finds you well, the answers to your questions are below:

• First of all, as you have seen, we do not yet support wildcards for folders, so you can use the options shown in the documentation: 
• https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#location

• According to the workaround that you have tested, it is correct, however you must take into account that there is a limit of files that can be monitored (logcollector.max_files), and in the case of Windows, this limit is 200 (also limited by the number of configured logcollector.rlimit_nofile). In this section of the documentation, you have the possible options to configure this maximum file limit in the internal_options.conf (at least for Linux):
• https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#logcollector

• The good news about issue #12351 is that we are currently working on it, as you can see in PR #15973, and it will be available for version 4.5 of Wazuh.

• Finally, according to log rotation, you can configure it according to the options found in the internal_options.conf  in the monitord section (monitord.size_rotate) 

                    The 4 functionalities that wazuh has to perform log rotation are: (/var/ossec/etc/local_internal_options.conf)

                             -  monitord.rotate_log: This setting enables log rotation, it is enabled by default.

                             -  monitord.size_rotate: With this setting you can set the maximum file size to trigger rotation, it is set to 512MB by default.

                             -  monitord.daily_rotations: With this setting, you can configure the maximum number of rotations per day, it is set to 12 by default.

                             -  monitord.keep_log_days: With this setting, you can configure the number of days to store rotated logs before deleting them, the default is 31 days.

                   

                    You can find more information in this link: 

• • https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#monitord

I hope this information is helpful, if you require more information or additional help, contact us :)

Regards, Leo

[Dirk Westenhaus]

Hello Leo,

thank you for your great mail and kind words. I am doing well, and I hope you are too. You gave me good information to work with.

With kind regards, Dirk.