Using log from local file

[Secure moi]

I'd like to be able to generate some sort of log file on my wazuh windows clients, and put a custom rule and decoder on my server to trigger email alerts.  If I can get this to work, I will use it as a general, repeatable approach.   I've take a swing at this and so far no joy, am not getting log data in archives.log let alone alerts.log or alerts.json.  

One note, on #4 below, my understanding is I need to put my log output into a syslog format, and #4 shows my attempt at this.

Suggestions appreciated:)

I hope the following are the relevant configurations I'm trying:
1) Local File on Windows Client's ossec.conf 
 <localfile>
    <log_format>syslog</log_format>
    <location>C:\\Path\\To\\Logs\\log.log</location>
  </localfile>

2) Custom Rule
<group name="local,syslog,">
  <rule id="100100" level="12">
    <decoded_as>syslog</decoded_as>
    <match>CustomAlert</match>
    <description>Log file contains the words 'CustomAlert'</description>
  </rule>
</group>

3) Custom Decoder
decoder name="syslog">
  <prematch>^(\w+ \d+ \d+:\d+:\d+) (\S+) </prematch>
</decoder>

4) Log.log 
<165>1 2023-09-28T10:12:52.000Z PCName   CustomAlert

My assumption is there there is no reason yet to do a wazuh-logtest, as I am not finding any desired entries in archives.log.

Again, help appreciated.  Thx

[Abdullah Al Rafi Fahim]

Hello,

Thank you for using Wazuh!

As far I can understand your situation, the initial issue you are facing is related to the step of forwarding the logs from your Windows endpoints specific log file to Wazuh manager using a localfile configuration at the agent's ossec.conf file.

If you want to monitor a log file in your Windows agent, you need to configure a localfile section as below. For example: if your log file is located at C:\Users\wazuh\example.log, you need to add a localfile configuration as:

<localfile>
    <location>C:\Users\wazuh\example.log</location>
    <log_format>syslog</log_format>
</localfile>

At your shared example, I can see you may have used \\ instead of \ in the location section. Therefore, can you please check and configure the localfile section properly and restart the agent to make this changes effective? Once this is done, you can ingest some new logs in the monitored file and check in the archives to confirm if they are been forwarded to the manager or not.

References: 

• https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html
  
• https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#location
  

Please let us know how it goes. Once the logs are forwarded properly, we will discuss further regarding the next steps, like: creating custom rule and decoders, triggering alerts etc.
 

[Secure moi]

Hi Abdullah , thx so much for the response (nice to meet you).  I had tried that path syntax first, read somewhere to use an xml style (with the slashes as escape characters) and was trying that in an effort to troubleshoot this.   So I put localfile code back so it now reads as 

<localfile>
    <log_format>syslog</log_format>
     <location>C:\Path\To\Logs\log.log</location>
  </localfile>

Per the rule I have below, I can't find the text "CustomAlert" in archives.log (nor alerts.log).  Should I profit the ossec.log from the client?  I don't see any errors in it but may be missing something.  I can see other entries into archives.log from the windows client, so I think it's communicating with my wazuh server.    

Thx for the help, great to have when stuck:)