Can we choose new path to store logs instead of archives.log
33 views
Skip to first unread message
ismailctest C
Apr 2, 2023, 2:33:04 AM4/2/23
to Wazuh mailing list
Hi,
Installed wazuh manager and added 10 agent & 5 syslog.
Eg: All logs are coming to archives.log now, How to get one firewall logs into archives1.log file.
Firewall IP/Location 10.10.10.2, when coming logs from this location, logs should be saved in archives1.log file, all other servers save to
archives.log
How to configure this? Please support.
David Correa Rodriguez
Apr 3, 2023, 11:15:06 AM4/3/23
to Wazuh mailing list
Hello.
source s_firewall_logs {
where FIREWALL_IP_ADDRESS is the IP address of your firewall and FIREWALL_PORT_NUMBER is the port number used for sending logs by your firewall.
Besides, you would need to specify where are the logs going to be stored:
destination d_firewall_logs {
file("/var/log/firewall/FIREWALL_IP_ADDRESS.log");
};
Unfortunately, Wazuh does not allow to change the path where the logs are going to be stored. I suggest you open a new issue in our GitHub repository to request this new feature: https://github.com/wazuh/wazuh/issues/new?assignees=&labels=&template=default.md&title=
Maybe you could use another tool to perform this, such as "syslog-ng". With this tool, you can specify the incoming logs from a specific firewall IP:
source s_firewall_logs {
tcp(ip("FIREWALL_IP_ADDRESS") port(FIREWALL_PORT_NUMBER));
};
where FIREWALL_IP_ADDRESS is the IP address of your firewall and FIREWALL_PORT_NUMBER is the port number used for sending logs by your firewall.
Besides, you would need to specify where are the logs going to be stored:
destination d_firewall_logs {
file("/var/log/firewall/FIREWALL_IP_ADDRESS.log");
};
Notice that these logs are going to be duplicated: in archives.log and in the new file where you want to store these logs.
Hope it helps.
Hope it helps.
Reply all
Reply to author
Forward
0 new messages