Can't read log from the file

341 views
Skip to first unread message

Darius Valečka

unread,
Feb 27, 2023, 9:33:26 AM2/27/23
to wa...@googlegroups.com
Hello, 
Can't read log from the file

Logs write to file /var/ossec/logs/test.log 
edited /var/ossec/etc/ossec.conf
configuration file enable file read 
<localfile>
 <location>/var/ossec/logs/test.log</location>
  <log_format>json<log_format>
<logfile>

restarted systemctl restart wazuh-manager

logs write to file /var/ossec/logs/test.log use command #echo {log example} >test.log

log example { "message": "data Logs", "context": { "request_method": "GET", "request_uri": "/data/newu/userid15/serdst", "request_heaUSrs": { "X-ForwarUSd-Port": [ "443" ], "Cdn-Loop": [ "mycloud" ], "Cf-Ipcountry": [ "US" ], "Cf-Connecting-Ip": [ "192.168.1.147" ], "Cookie": [ "sdsdfsda=1C81233456789UT; mytt_cookieexamplemy_down=1" ], "Accept-Language": [ "en-US,en;q=0.9" ], "Referer": [ "https://mytttest.com/newu/userid15" ], "Sec-Fetch-USst": [ "empty" ], "Sec-Fetch-MoUS": [ "cors" ], "Sec-Fetch-Site": [ "same-origin" ], "Sec-Ch-Ua-Platform": [ "\"Windows\"" ], "Ajax": [ "true" ], "User-Agent": [ "Mozilla/4.0 (Windows NT 11.0; Win64; x64) AppleWebKit/545.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/545.36" ], "Sec-Ch-Ua-Mobile": [ "?0" ], "Accept": [ "application/json, text/plain, */*" ], "Sec-Ch-Ua": [ "\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Google Chrome\";v=\"110\"" ], "Cf-Visitor": [ "{\"scheme\":\"https\"}" ], "X-ForwarUSd-Proto": [ "https" ], "Cf-Ray": [ "aaaaaaaaaaaaaaa-AAA" ], "X-ForwarUSd-For": [ "192.168.1.147" ], "Accept-Encoding": [ "gzip" ], "Host": [ "mytttest.com" ], "Content-Length": [ "" ], "Content-Type": [ "" ] }, "response_coUS": 200, "response_time": 1.0, "textnumber": 1452, "response_body": "[{\"id\":123456788,\"user_id\":userid15", "link_set_1": "data", "link_set_2": "newu", "link_set_3": "userid15", "link_set_4": "serdst" }, "extra": [], "level": 200, "level_name": "INFO", "servername": "myttdtn-server-adrt-bgrt-dws-sdfg1-1" }

Don't show on the web

 Try to log test on command line #/var/ossec/bin/wazuh-logtest it is ok show decoded 
**Phase 2: Completed decoding.
name: 'json'
context.link_set_1: 'data'
context.link_set_2: 'newu'
context.link_set_3: 'userid15'
ntext.link_set_4: 'serdst'
context.request_heaUSrs.Accept: '['application/json, text/plain, */*']'
context.request_heaUSrs.Accept-Encoding: '['gzip']'
context.request_heaUSrs.Accept-Language: '['en-US,en;q=0.9']'
context.request_heaUSrs.Ajax: '['true']'
context.request_heaUSrs.Cdn-Loop: '['mycloud']'
context.request_heaUSrs.Cf-Connecting-Ip: '['192.168.1.147']'
context.request_heaUSrs.Cf-Ipcountry: '['US']'
context.request_heaUSrs.Cf-Ray: '['aaaaaaaaaaaaaaa-AAA']'
context.request_heaUSrs.Cf-Visitor: '['{"scheme":"https"}']'
context.request_heaUSrs.Content-Length: '['']'
context.request_heaUSrs.Content-Type: '['']'
context.request_heaUSrs.Cookie: '['sdsdfsda=1C81233456789UT; mytt_cookieexamplemy_down=1']'
context.request_heaUSrs.Host: '['mytttest.com']'
context.request_heaUSrs.Referer: '['https://mytttest.com/newu/userid15']'
context.request_heaUSrs.Sec-Ch-Ua: '['"Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"']'
context.request_heaUSrs.Sec-Ch-Ua-Mobile: '['?0']'
context.request_heaUSrs.Sec-Ch-Ua-Platform: '['"Windows"']'
context.request_heaUSrs.Sec-Fetch-MoUSE: '['cors']'
context.request_heaUSrs.Sec-Fetch-Site: '['same-origin']'
context.request_heaUSrs.Sec-Fetch-USst: '['empty']'
context.request_heaUSrs.User-Agent: '['Mozilla/4.0 (Windows NT 11.0; Win64; x64) AppleWebKit/545.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/545.36']'
context.request_heaUSrs.X-ForwarUSd-For: '['192.168.1.147']'
context.request_heaUSrs.X-ForwarUSd-Port: '['443']'
context.request_heaUSrs.X-ForwarUSd-Proto: '['https']'
context.request_method: 'GET'
context.request_uri: '/data/newu/userid15/serdst'
context.response_body: '[{"id":123456788,"user_id":userid15'
context.response_coUS: '200'
context.response_time: '1'
context.textnumber: '1452'
extra: '[]'
level: '200'
level_name: 'INFO'
message: 'data Logs'
servername: 'myttdtn-server-adrt-bgrt-dws-sdfg1-1'


1. Why didn't the log from the file didn't show on wazuh discover ?  
Get only one log rule.id 592,
 full_log ossec: File size reduced (inode remained): '/var/ossec/logs/test.log',
 but didn't show decoded information.

Santiago David Vendramini

unread,
Feb 27, 2023, 9:46:14 AM2/27/23
to Wazuh mailing list
Hi ! I hope you are doing well! I am reviewing this, I will write you ASAP! Regards!

Santiago David Vendramini

unread,
Feb 28, 2023, 8:25:21 AM2/28/23
to Wazuh mailing list
Hi! Sorry for the delay! I see some errors in your ossec.conf configuration. Could you try the following?

  <localfile>
    <location>/var/ossec/logs/test.log</location>
    <log_format>syslog</log_format>
  </localfile>


On the other hand, as far as I can see in wazuh-logtest the log is decoded correctly, but no rule is triggered. That's why no information is shown in wazuh discover.
To do that you need to create a custom rule that is triggered when this kind of log arrives, I recommend you to read the following documentation:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html#custom-rules-and-decoders

To make shure that the localfile configuration is correct you can edit ossec.conf in the <global> section with the following: <logall>yes</logall>. Then restart the manager and check the /var/ossec/logs/archives.log file. You should find a log like this:

2023 Feb 28 14:06:53 jellyfish->/var/ossec/logs/test.log { message: data Logs, context: { request_method: GET, request_uri: /data/newu/userid15/serdst, request_heaUSrs: { X-ForwarUSd-Port: [ 443 ], Cdn-Loop: [ mycloud ], Cf-Ipcountry: [ US ], Cf-Connecting-Ip: [ 192.168.1.147 ], Cookie: [ sdsdfsda=1C81233456789UT; mytt_cookieexamplemy_down=1 ], Accept-Language: [ en-US,en;q=0.9 ], Referer: [ https://mytttest.com/newu/userid15 ], Sec-Fetch-USst: [ empty ], Sec-Fetch-MoUS: [ cors ], Sec-Fetch-Site: [ same-origin ], Sec-Ch-Ua-Platform: [ "Windows" ], Ajax: [ true ], User-Agent: [ Mozilla/4.0 (Windows NT 11.0; Win64; x64) AppleWebKit/545.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/545.36 ], Sec-Ch-Ua-Mobile: [ ?0 ], Accept: [ application/json, text/plain, */* ], Sec-Ch-Ua: [ "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110" ], Cf-Visitor: [ {"scheme":"https"} ], X-ForwarUSd-Proto: [ https ], Cf-Ray: [ aaaaaaaaaaaaaaa-AAA ], X-ForwarUSd-For: [ 192.168.1.147 ], Accept-Encoding: [ gzip ], Host: [ mytttest.com ], Content-Length: [  ], Content-Type: [  ] }, response_coUS: 200, response_time: 1.0, textnumber: 1452, response_body: [{"id":123456788,"user_id":userid15, link_set_1: data, link_set_2: newu, link_set_3: userid15, link_set_4: serdst }, extra: [], level: 200, level_name: INFO, servername: myttdtn-server-adrt-bgrt-dws-sdfg1-1 }

I hope this solves you need. Let me know if you need anything else.
Regards!

Darius Valečka

unread,
Mar 1, 2023, 9:16:42 AM3/1/23
to wa...@googlegroups.com
The new rule add #nano /var/ossec/etc/rules/local_rules.xml

  </rule>
    <rule id="100002" level="9">
    <field name="context.request_method">GET</field>
    <field name="context.response_coUS">200</field>
    <field name="context.textnumber">1452</field>
    <description>TEST RULE NEW</description>
  </rule>

[root@wazuh-server logs]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.10
Type one log per line

{ "message": "data Logs", "context": { "request_method": "GET", "request_uri": "/data/newu/userid15/serdst", "request_heaUSrs": { "X-ForwarUSd-Port": [ "443" ], "Cdn-Loop": [ "mycloud" ], "Cf-Ipcountry": [ "US" ], "Cf-Connecting-Ip": [ "192.168.1.147" ], "Cookie": [ "sdsdfsda=1C81233456789UT; mytt_cookieexamplemy_down=1" ], "Accept-Language": [ "en-US,en;q=0.9" ], "Referer": [ "https://mytttest.com/newu/userid15" ], "Sec-Fetch-USst": [ "empty" ], "Sec-Fetch-MoUS": [ "cors" ], "Sec-Fetch-Site": [ "same-origin" ], "Sec-Ch-Ua-Platform": [ "\"Windows\"" ], "Ajax": [ "true" ], "User-Agent": [ "Mozilla/4.0 (Windows NT 11.0; Win64; x64) AppleWebKit/545.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/545.36" ], "Sec-Ch-Ua-Mobile": [ "?0" ], "Accept": [ "application/json, text/plain, */*" ], "Sec-Ch-Ua": [ "\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Google Chrome\";v=\"110\"" ], "Cf-Visitor": [ "{\"scheme\":\"https\"}" ], "X-ForwarUSd-Proto": [ "https" ], "Cf-Ray": [ "aaaaaaaaaaaaaaa-AAA" ], "X-ForwarUSd-For": [ "192.168.1.147" ], "Accept-Encoding": [ "gzip" ], "Host": [ "mytttest.com" ], "Content-Length": [ "" ], "Content-Type": [ "" ] }, "response_coUS": 200, "response_time": 1.0, "textnumber": 1452, "response_body": "[{\"id\":123456788,\"user_id\":userid15", "link_set_1": "data", "link_set_2": "newu", "link_set_3": "userid15", "link_set_4": "serdst" }, "extra": [], "level": 200, "level_name": "INFO", "servername": "myttdtn-server-adrt-bgrt-dws-sdfg1-1" }

**Phase 1: Completed pre-decoding.
full event: '{ "message": "data Logs", "context": { "request_method": "GET", "request_uri": "/data/newu/userid15/serdst", "request_heaUSrs": { "X-ForwarUSd-Port": [ "443" ], "Cdn-Loop": [ "mycloud" ], "Cf-Ipcountry": [ "US" ], "Cf-Connecting-Ip": [ "192.168.1.147" ], "Cookie": [ "sdsdfsda=1C81233456789UT; mytt_cookieexamplemy_down=1" ], "Accept-Language": [ "en-US,en;q=0.9" ], "Referer": [ "https://mytttest.com/newu/userid15" ], "Sec-Fetch-USst": [ "empty" ], "Sec-Fetch-MoUS": [ "cors" ], "Sec-Fetch-Site": [ "same-origin" ], "Sec-Ch-Ua-Platform": [ "\"Windows\"" ], "Ajax": [ "true" ], "User-Agent": [ "Mozilla/4.0 (Windows NT 11.0; Win64; x64) AppleWebKit/545.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/545.36" ], "Sec-Ch-Ua-Mobile": [ "?0" ], "Accept": [ "application/json, text/plain, */*" ], "Sec-Ch-Ua": [ "\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Google Chrome\";v=\"110\"" ], "Cf-Visitor": [ "{\"scheme\":\"https\"}" ], "X-ForwarUSd-Proto": [ "https" ], "Cf-Ray": [ "aaaaaaaaaaaaaaa-AAA" ], "X-ForwarUSd-For": [ "192.168.1.147" ], "Accept-Encoding": [ "gzip" ], "Host": [ "mytttest.com" ], "Content-Length": [ "" ], "Content-Type": [ "" ] }, "response_coUS": 200, "response_time": 1.0, "textnumber": 1452, "response_body": "[{\"id\":123456788,\"user_id\":userid15", "link_set_1": "data", "link_set_2": "newu", "link_set_3": "userid15", "link_set_4": "serdst" }, "extra": [], "level": 200, "level_name": "INFO", "servername": "myttdtn-server-adrt-bgrt-dws-sdfg1-1" }'

**Phase 2: Completed decoding.
name: 'json'
context.link_set_1: 'data'
context.link_set_2: 'newu'
context.link_set_3: 'userid15'
context.link_set_4: 'serdst'
context.request_heaUSrs.Accept: '['application/json, text/plain, */*']'
context.request_heaUSrs.Accept-Encoding: '['gzip']'
context.request_heaUSrs.Accept-Language: '['en-US,en;q=0.9']'
context.request_heaUSrs.Ajax: '['true']'
context.request_heaUSrs.Cdn-Loop: '['mycloud']'
context.request_heaUSrs.Cf-Connecting-Ip: '['192.168.1.147']'
context.request_heaUSrs.Cf-Ipcountry: '['US']'
context.request_heaUSrs.Cf-Ray: '['aaaaaaaaaaaaaaa-AAA']'
context.request_heaUSrs.Cf-Visitor: '['{"scheme":"https"}']'
context.request_heaUSrs.Content-Length: '['']'
context.request_heaUSrs.Content-Type: '['']'
context.request_heaUSrs.Cookie: '['sdsdfsda=1C81233456789UT; mytt_cookieexamplemy_down=1']'
context.request_heaUSrs.Host: '['mytttest.com']'
context.request_heaUSrs.Referer: '['https://mytttest.com/newu/userid15']'
context.request_heaUSrs.Sec-Ch-Ua: '['"Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"']'
context.request_heaUSrs.Sec-Ch-Ua-Mobile: '['?0']'
context.request_heaUSrs.Sec-Ch-Ua-Platform: '['"Windows"']'
context.request_heaUSrs.Sec-Fetch-MoUS: '['cors']'
context.request_heaUSrs.Sec-Fetch-Site: '['same-origin']'
context.request_heaUSrs.Sec-Fetch-USst: '['empty']'
context.request_heaUSrs.User-Agent: '['Mozilla/4.0 (Windows NT 11.0; Win64; x64) AppleWebKit/545.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/545.36']'
context.request_heaUSrs.X-ForwarUSd-For: '['192.168.1.147']'
context.request_heaUSrs.X-ForwarUSd-Port: '['443']'
context.request_heaUSrs.X-ForwarUSd-Proto: '['https']'
context.request_method: 'GET'
context.request_uri: '/data/newu/userid15/serdst'
context.response_body: '[{"id":123456788,"user_id":userid15'
context.response_coUS: '200'
context.response_time: '1'
context.textnumber: '1452'
extra: '[]'
level: '200'
level_name: 'INFO'
message: 'data Logs'
servername: 'myttdtn-server-adrt-bgrt-dws-sdfg1-1'

**Phase 3: Completed filtering (rules).
id: '100002'
level: '9'
description: 'TEST RULE NEW'
groups: '['local', 'syslog', 'sshd']'
firedtimes: '1'
mail: 'False'
**Alert to be generated.


write log to file #echo "log example" /var/ossec/logs/test.log, but wazuh not action

I can see archives.log
2023 Mar 01 13:24:34 wazuh-server->/var/ossec/logs/test.log { message: data Logs, context: { request_method: GET, request_uri: /data/newu/userid15/serdst, request_heaUSrs: { X-ForwarUSd-Port: [ 443 ], Cdn-Loop: [ mycloud ], Cf-Ipcountry: [ US ], Cf-Connecting-Ip: [ 192.168.1.147 ], Cookie: [ sdsdfsda=1C81233456789UT; mytt_cookieexamplemy_down=1 ], Accept-Language: [ en-US,en;q=0.9 ], Referer: [ https://mytttest.com/newu/userid15 ], Sec-Fetch-USst: [ empty ], Sec-Fetch-MoUS: [ cors ], Sec-Fetch-Site: [ same-origin ], Sec-Ch-Ua-Platform: [ "Windows" ], Ajax: [ true ], User-Agent: [ Mozilla/4.0 (Windows NT 11.0; Win64; x64) AppleWebKit/545.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/545.36 ], Sec-Ch-Ua-Mobile: [ ?0 ], Accept: [ application/json, text/plain, */* ], Sec-Ch-Ua: [ "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110" ], Cf-Visitor: [ {"scheme":"https"} ], X-ForwarUSd-Proto: [ https ], Cf-Ray: [ aaaaaaaaaaaaaaa-AAA ], X-ForwarUSd-For: [ 192.168.1.147 ], Accept-Encoding: [ gzip ], Host: [ mytttest.com ], Content-Length: [ ], Content-Type: [ ] }, response_coUS: 200, response_time: 1.0, textnumber: 1452, response_body: [{"id":123456788,"user_id":userid15, link_set_1: data, link_set_2: newu, link_set_3: userid15, link_set_4: serdst }, extra: [], level: 200, level_name: INFO, servername: myttdtn-server-adrt-bgrt-dws-sdfg1-1 }

 Why didn't the log from the file didn't show and rule didn't work. If try /var/ossec/bin/wazuh-logtest it works correctly and rules work Phase 3. 

Do you still need to write a decoder?

Santiago David Vendramini

unread,
Mar 1, 2023, 9:28:30 AM3/1/23
to Wazuh mailing list
I will recreate the scenario with this custom rule. Can you check the /var/ossec/logs/alerts/alerts.json file to be shure that the rule is not triggered? 

Darius Valečka

unread,
Mar 1, 2023, 10:21:02 AM3/1/23
to wa...@googlegroups.com
Rule is triggered 592, file change(Log file size reduced), but not my rule (100002).

"timestamp":"2023-03-01T15:11:51.400+0000","rule":{"level":8,"description":"Log file size reduced.","id":"592","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":2,"mail":false,"groups":["ossec","attacks"],"pci_dss":["10.5.2","11.4"],"gpg13":["10.1"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.9","SI.4"],"tsc":["CC6.1","CC7.2","CC7.3","CC6.8"]},"agent":{"id":"000","name":"wazuh-server"},"manager":{"name":"wazuh-server"},"id":"1677683511.387632","full_log":"ossec: File size reduced (inode remained): '/var/ossec/logs/test.log'.","decoder":{"name":"ossec"},"location":"wazuh-logcollector"}


Jayakrishnan P

unread,
Mar 2, 2023, 5:30:54 AM3/2/23
to Wazuh mailing list
Hi Darius,

I would like to know how you are writing logs into the test.log file. Are you opening it in some text editor and manually writing it? First thing is
the cursor need to be on a new line after writing the log. Second thing is you need to write a simple script (may be in python) which will write to the test.log file with a new line at the end. I tried manually writing.. didn't worked. when I used script it worked. Please let me know the progress.

Regards
Jayakrishnan

Santiago David Vendramini

unread,
Mar 2, 2023, 8:45:12 AM3/2/23
to Wazuh mailing list
Hi! Thanks Jayakrishnan for the contribution! You can also try >> in #echo {log example} >> test.logWhen echoing something to a file, >> appends to the file and > overwrites the file. As soon as I have any progress with the test, I will let you know. Regards!

Jayakrishnan P

unread,
Mar 3, 2023, 12:20:39 AM3/3/23
to Wazuh mailing list
Thanks Santiago David Vendramini, for the tip. 

Santiago David Vendramini

unread,
Mar 7, 2023, 7:22:11 AM3/7/23
to Wazuh mailing list
Hi! Sorry for the delay! I was able to configure the rule as you did. And then I tried to write the log in this way: 

echo '{ "message": "data Logs", "context": { "request_method": "GET", "request_uri": "/data/newu/userid15/serdst", "request_heaUSrs": { "X-ForwarUSd-Port": [ "443" ], "Cdn-Loop": [ "mycloud" ], "Cf-Ipcountry": [ "US" ], "Cf-Connecting-Ip": [ "192.168.1.147" ], "Cookie": [ "sdsdfsda=1C81233456789UT; mytt_cookieexamplemy_down=1" ], "Accept-Language": [ "en-US,en;q=0.9" ], "Referer": [ "https://mytttest.com/newu/userid15" ], "Sec-Fetch-USst": [ "empty" ], "Sec-Fetch-MoUS": [ "cors" ], "Sec-Fetch-Site": [ "same-origin" ], "Sec-Ch-Ua-Platform": [ "\"Windows\"" ], "Ajax": [ "true" ], "User-Agent": [ "Mozilla/4.0 (Windows NT 11.0; Win64; x64) AppleWebKit/545.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/545.36" ], "Sec-Ch-Ua-Mobile": [ "?0" ], "Accept": [ "application/json, text/plain, */*" ], "Sec-Ch-Ua": [ "\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Google Chrome\";v=\"110\"" ], "Cf-Visitor": [ "{\"scheme\":\"https\"}" ], "X-ForwarUSd-Proto": [ "https" ], "Cf-Ray": [ "aaaaaaaaaaaaaaa-AAA" ], "X-ForwarUSd-For": [ "192.168.1.147" ], "Accept-Encoding": [ "gzip" ], "Host": [ "mytttest.com" ], "Content-Length": [ "" ], "Content-Type": [ "" ] }, "response_coUS": 200, "response_time": 1.0, "textnumber": 1452, "response_body": "[{\"id\":123456788,\"user_id\":userid15", "link_set_1": "data", "link_set_2": "newu", "link_set_3": "userid15", "link_set_4": "serdst" }, "extra": [], "level": 200, "level_name": "INFO", "servername": "myttdtn-server-adrt-bgrt-dws-sdfg1-1" }' >> /var/ossec/logs/test.log

Then I checked /var/ossec/logs/alerts/alerts.json and I can see the alerts generated: 

tail -f /var/ossec/logs/alerts/alerts.json
{"timestamp":"2023-03-07T13:17:51.539+0100","rule":{"level":9,"description":"TEST RULE NEW","id":"100002","firedtimes":1,"mail":false,"groups":["default"]},"agent":{"id":"000","name":"jellyfish"},"manager":{"name":"jellyfish"},"id":"1678191471.224102","full_log":"{ \"message\": \"data Logs\", \"context\": { \"request_method\": \"GET\", \"request_uri\": \"/data/newu/userid15/serdst\", \"request_heaUSrs\": { \"X-ForwarUSd-Port\": [ \"443\" ], \"Cdn-Loop\": [ \"mycloud\" ], \"Cf-Ipcountry\": [ \"US\" ], \"Cf-Connecting-Ip\": [ \"192.168.1.147\" ], \"Cookie\": [ \"sdsdfsda=1C81233456789UT; mytt_cookieexamplemy_down=1\" ], \"Accept-Language\": [ \"en-US,en;q=0.9\" ], \"Referer\": [ \"https://mytttest.com/newu/userid15\" ], \"Sec-Fetch-USst\": [ \"empty\" ], \"Sec-Fetch-MoUS\": [ \"cors\" ], \"Sec-Fetch-Site\": [ \"same-origin\" ], \"Sec-Ch-Ua-Platform\": [ \"\\\"Windows\\\"\" ], \"Ajax\": [ \"true\" ], \"User-Agent\": [ \"Mozilla/4.0 (Windows NT 11.0; Win64; x64) AppleWebKit/545.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/545.36\" ], \"Sec-Ch-Ua-Mobile\": [ \"?0\" ], \"Accept\": [ \"application/json, text/plain, */*\" ], \"Sec-Ch-Ua\": [ \"\\\"Chromium\\\";v=\\\"110\\\", \\\"Not A(Brand\\\";v=\\\"24\\\", \\\"Google Chrome\\\";v=\\\"110\\\"\" ], \"Cf-Visitor\": [ \"{\\\"scheme\\\":\\\"https\\\"}\" ], \"X-ForwarUSd-Proto\": [ \"https\" ], \"Cf-Ray\": [ \"aaaaaaaaaaaaaaa-AAA\" ], \"X-ForwarUSd-For\": [ \"192.168.1.147\" ], \"Accept-Encoding\": [ \"gzip\" ], \"Host\": [ \"mytttest.com\" ], \"Content-Length\": [ \"\" ], \"Content-Type\": [ \"\" ] }, \"response_coUS\": 200, \"response_time\": 1.0, \"textnumber\": 1452, \"response_body\": \"[{\\\"id\\\":123456788,\\\"user_id\\\":userid15\", \"link_set_1\": \"data\", \"link_set_2\": \"newu\", \"link_set_3\": \"userid15\", \"link_set_4\": \"serdst\" }, \"extra\": [], \"level\": 200, \"level_name\": \"INFO\", \"servername\": \"myttdtn-server-adrt-bgrt-dws-sdfg1-1\" }","decoder":{"name":"json"},"data":{"message":"data Logs","context":{"request_method":"GET","request_uri":"/data/newu/userid15/serdst","request_heaUSrs":{"X-ForwarUSd-Port":["443"],"Cdn-Loop":["mycloud"],"Cf-Ipcountry":["US"],"Cf-Connecting-Ip":["192.168.1.147"],"Cookie":["sdsdfsda=1C81233456789UT; mytt_cookieexamplemy_down=1"],"Accept-Language":["en-US,en;q=0.9"],"Referer":["https://mytttest.com/newu/userid15"],"Sec-Fetch-USst":["empty"],"Sec-Fetch-MoUS":["cors"],"Sec-Fetch-Site":["same-origin"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Ajax":["true"],"User-Agent":["Mozilla/4.0 (Windows NT 11.0; Win64; x64) AppleWebKit/545.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/545.36"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["application/json, text/plain, */*"],"Sec-Ch-Ua":["\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Google Chrome\";v=\"110\""],"Cf-Visitor":["{\"scheme\":\"https\"}"],"X-ForwarUSd-Proto":["https"],"Cf-Ray":["aaaaaaaaaaaaaaa-AAA"],"X-ForwarUSd-For":["192.168.1.147"],"Accept-Encoding":["gzip"],"Host":["mytttest.com"],"Content-Length":[""],"Content-Type":[""]},"response_coUS":"200","response_time":"1","textnumber":"1452","response_body":"[{\"id\":123456788,\"user_id\":userid15","link_set_1":"data","link_set_2":"newu","link_set_3":"userid15","link_set_4":"serdst"},"extra":[],"level":"200","level_name":"INFO","servername":"myttdtn-server-adrt-bgrt-dws-sdfg1-1"},"location":"/var/ossec/logs/test.log"}
{"timestamp":"2023-03-07T13:17:59.559+0100","rule":{"level":9,"description":"TEST RULE NEW","id":"100002","firedtimes":2,"mail":false,"groups":["default"]},"agent":{"id":"000","name":"jellyfish"},"manager":{"name":"jellyfish"},"id":"1678191479.227627","full_log":"{ \"message\": \"data Logs\", \"context\": { \"request_method\": \"GET\", \"request_uri\": \"/data/newu/userid15/serdst\", \"request_heaUSrs\": { \"X-ForwarUSd-Port\": [ \"443\" ], \"Cdn-Loop\": [ \"mycloud\" ], \"Cf-Ipcountry\": [ \"US\" ], \"Cf-Connecting-Ip\": [ \"192.168.1.147\" ], \"Cookie\": [ \"sdsdfsda=1C81233456789UT; mytt_cookieexamplemy_down=1\" ], \"Accept-Language\": [ \"en-US,en;q=0.9\" ], \"Referer\": [ \"https://mytttest.com/newu/userid15\" ], \"Sec-Fetch-USst\": [ \"empty\" ], \"Sec-Fetch-MoUS\": [ \"cors\" ], \"Sec-Fetch-Site\": [ \"same-origin\" ], \"Sec-Ch-Ua-Platform\": [ \"\\\"Windows\\\"\" ], \"Ajax\": [ \"true\" ], \"User-Agent\": [ \"Mozilla/4.0 (Windows NT 11.0; Win64; x64) AppleWebKit/545.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/545.36\" ], \"Sec-Ch-Ua-Mobile\": [ \"?0\" ], \"Accept\": [ \"application/json, text/plain, */*\" ], \"Sec-Ch-Ua\": [ \"\\\"Chromium\\\";v=\\\"110\\\", \\\"Not A(Brand\\\";v=\\\"24\\\", \\\"Google Chrome\\\";v=\\\"110\\\"\" ], \"Cf-Visitor\": [ \"{\\\"scheme\\\":\\\"https\\\"}\" ], \"X-ForwarUSd-Proto\": [ \"https\" ], \"Cf-Ray\": [ \"aaaaaaaaaaaaaaa-AAA\" ], \"X-ForwarUSd-For\": [ \"192.168.1.147\" ], \"Accept-Encoding\": [ \"gzip\" ], \"Host\": [ \"mytttest.com\" ], \"Content-Length\": [ \"\" ], \"Content-Type\": [ \"\" ] }, \"response_coUS\": 200, \"response_time\": 1.0, \"textnumber\": 1452, \"response_body\": \"[{\\\"id\\\":123456788,\\\"user_id\\\":userid15\", \"link_set_1\": \"data\", \"link_set_2\": \"newu\", \"link_set_3\": \"userid15\", \"link_set_4\": \"serdst\" }, \"extra\": [], \"level\": 200, \"level_name\": \"INFO\", \"servername\": \"myttdtn-server-adrt-bgrt-dws-sdfg1-1\" }","decoder":{"name":"json"},"data":{"message":"data Logs","context":{"request_method":"GET","request_uri":"/data/newu/userid15/serdst","request_heaUSrs":{"X-ForwarUSd-Port":["443"],"Cdn-Loop":["mycloud"],"Cf-Ipcountry":["US"],"Cf-Connecting-Ip":["192.168.1.147"],"Cookie":["sdsdfsda=1C81233456789UT; mytt_cookieexamplemy_down=1"],"Accept-Language":["en-US,en;q=0.9"],"Referer":["https://mytttest.com/newu/userid15"],"Sec-Fetch-USst":["empty"],"Sec-Fetch-MoUS":["cors"],"Sec-Fetch-Site":["same-origin"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Ajax":["true"],"User-Agent":["Mozilla/4.0 (Windows NT 11.0; Win64; x64) AppleWebKit/545.36 (KHTML, like Gecko) Chrome/100.0.0.0 Safari/545.36"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["application/json, text/plain, */*"],"Sec-Ch-Ua":["\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Google Chrome\";v=\"110\""],"Cf-Visitor":["{\"scheme\":\"https\"}"],"X-ForwarUSd-Proto":["https"],"Cf-Ray":["aaaaaaaaaaaaaaa-AAA"],"X-ForwarUSd-For":["192.168.1.147"],"Accept-Encoding":["gzip"],"Host":["mytttest.com"],"Content-Length":[""],"Content-Type":[""]},"response_coUS":"200","response_time":"1","textnumber":"1452","response_body":"[{\"id\":123456788,\"user_id\":userid15","link_set_1":"data","link_set_2":"newu","link_set_3":"userid15","link_set_4":"serdst"},"extra":[],"level":"200","level_name":"INFO","servername":"myttdtn-server-adrt-bgrt-dws-sdfg1-1"},"location":"/var/ossec/logs/test.log"}

Are you still having problems with this rule?
Let me know if you need help. Regards.

Darius Valečka

unread,
Mar 20, 2023, 9:39:59 AM3/20/23
to wa...@googlegroups.com
Hello,

Yes, it is works on wazuh-manager.

I'm trying now on other linux host, write agent to linux host(it is works). Wazuh-manager was changed ossec.conf
 <localfile>
    <location>/var/log/audit/audit.log</location>
    <log_format>audit</log_format>
  </localfile>

  <localfile>
    <location>/var/log/audit/test.log</location>
    <log_format>syslog</log_format>
  </localfile>

Audit.log works, but /var/log/audit/test.log not monitoring file why ?

Santiago David Vendramini

unread,
Mar 23, 2023, 1:41:22 PM3/23/23
to Wazuh mailing list
Hello, the configuration for syscollector must be configured on each agent or else you can use the centralized configuration in the manager if you are going to need that configuration for several agents.

For the first case, you should modify the ossec.conf file of the agent.

And for the centralized configuration you must modify the agent.conf file in the manager. To do this I recommend you to follow the steps described in the following documentation: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html

I hope this solves your needs, let me know if you need anything else!
Best regards!
Reply all
Reply to author
Forward
0 new messages