Adding Tags to logs
121 views
Skip to first unread message
rana chand
Oct 27, 2020, 8:45:05 AM10/27/20
to Wazuh mailing list
Hi All,
Is there a way of adding a tag (or) prefix to every log before it is being sent to wazuh manager from the agent for analysis purpose.
For example if the original log is:
2020-10-23T12:59:49.617+0530 INFO This is the log.
2020-10-23T12:59:49.617+0530 INFO This is the log.
After adding the tag:
tag: 2020-10-23T12:59:49.617+0530 INFO This is the log.
Regards,
Rana.
Juan Nicolás Asselle
Oct 27, 2020, 8:28:20 PM10/27/20
to Wazuh mailing list
Hi Rana!
There is a way to make same manipulations on the logs using out_format option in localfile , that allow you to add a tag to certain logs.
For example, this localfile entry on ossec.conf will add a header with timestamp, hostname, a fixed string and log content to the logs from /var/log/mongodb/mongodb.log
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mongodb/mongodb.log</location>
<out_format>$(timestamp) $(hostname) mongodb: $(log)</out_format>
</localfile>
I hope it helps. Let me know if you need anything else.
Regards,
Nico
rana chand
Oct 28, 2020, 12:09:04 AM10/28/20
to Wazuh mailing list
Hi Juan,
I have tried the same way you have mentioned above.
configuration on the agent:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mongodb/mongodb.log</location>
<out_format>$(timestamp) $(hostname) mongodb: $(log)</out_format>
<log_format>syslog</log_format>
<location>/var/log/mongodb/mongodb.log</location>
<out_format>$(timestamp) $(hostname) mongodb: $(log)</out_format>
</localfile>
Output before adding out_format:
2020 Oct 28 03:52:33 (nineleaps-ThinkPad-L470) any->/var/log/mongodb/mongodb.log 2020-10-28T09:22:32.057+0530 I NETWORK [listener] connection accepted from 127.0.0.1:41368 #3 (1 connection now open)
Output after adding out_format:
2020 Oct 28 03:57:33 (nineleaps-ThinkPad-L470) any->/var/log/mongodb/mongodb.log 2020-10-28T09:27:32.057+0530 I NETWORK [listener] connection accepted from 127.0.0.1:41368 #4 (1 connection now open)
As you can see there is no change in the log that reached the Wazuh Manager before and after adding the log_format.
Please guide me if I wrong somewhere.
Regards,
Rana.
Juan Nicolás Asselle
Oct 28, 2020, 8:24:29 AM10/28/20
to Wazuh mailing list
Hi Rana!
Please follow Jonathan's explanation here: https://groups.google.com/g/wazuh/c/Llrlk0PJR3o/m/lr_AqQkJEQAJ . There are two identically threads for the same issue.
Regards,
Nico
Juan Nicolás Asselle
Oct 28, 2020, 9:33:00 AM10/28/20
to Wazuh mailing list
Hi Rana,
I saw from your other thread that you use Wazuh v.3.12.0. This version has a issue (https://github.com/wazuh/wazuh/issues/4877) related to the problem with out_format and it was solved in v3.12.3. I’ve just test it and works perfectly.
Sorry for the inconvenience.
Regards,
Nico
Reply all
Reply to author
Forward
0 new messages