Read 0 lines from IIS logs in wazuh agent log file
140 views
Skip to first unread message
Galin Gospodinov
Mar 10, 2022, 10:03:23 AM3/10/22
to Wazuh mailing list
Hello everyone,
What this log mean:
"2022/03/10 17:08:24 wazuh-agent[9264] read_syslog.c:148 at read_syslog(): DEBUG: Read 0 lines from C:\inetpub\logs\LogFiles\W3SVC1\u_ex220310.log"
I have logs in u_ex220310 file, but somehow log collector can`t read it.
Damian Nicastro
Mar 10, 2022, 11:08:25 AM3/10/22
to Wazuh mailing list
Hello @g.gospo
I hope you are fine.
This problem seems to be related to the selected format of the <locafile> block configuration. You can see all the supported formats in the link below (includind iis format)
If this is not the problem, please provide the complete
the <locafile> block configuration located in C:\Program Files (x86)\ossec-agent\ossec.conf and
C:\Program Files (x86)\ossec-agent\shared\agent.conf files for your Wazuh agent.
In order to get more details about the issue, you can also put the Wazuh agent in debug mode and send us the logs.
Open the file C:\Program Files (x86)\ossec-agent\local_internal_options.conf as Administrator and add the following lines:
agent.debug=2
windows.debug=2
logcollector.debug=2
Save the changes and restart the Wazuh manager:
Open a CMD terminal as Administrator and execute:
C:\windows\system32>net stop wazuh
The Wazuh service was stopped successfully.
C:\windows\system32>net start wazuh
The Wazuh service was started successfully.
The Wazuh service was stopped successfully.
C:\windows\system32>net start wazuh
The Wazuh service was started successfully.
I hope this helps
Thanks
Galin Gospodinov
Mar 11, 2022, 1:28:43 AM3/11/22
to Wazuh mailing list
Hello Damian,
thank you for the reply!
I tried with different formats - iis, syslog, but the problem is still there.
I don`t have C:\Program Files (x86)\ossec-agent\shared\agent.conf such file in this directory.
Please see the attached ossec.conf and ossec.log files and the img.
Damian Nicastro
Mar 11, 2022, 8:03:53 AM3/11/22
to Wazuh mailing list
Hi @
g.gospodinov92:
I hope you are fine.
The config and the log look ok since the configured files are being analyzed:
2022/03/11 08:31:05 wazuh-agent[512] logcollector.c:361 at LogCollectorStart(): INFO: (1950): Analyzing file: 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220215.log'.
2022/03/11 08:31:05 sca[512] wm_sca.c:2247 at wm_sca_winreg_querykey(): DEBUG: Considering value 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' -> 'crashonauditfail' == 'CrashOnAuditFail': Value found.
2022/03/11 08:31:05 wazuh-agent[512] logcollector.c:361 at LogCollectorStart(): INFO: (1950): Analyzing file: 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220310.log'.
2022/03/11 08:31:05 sca[512] wm_sca.c:2299 at wm_sca_winreg_querykey(): DEBUG: Checking value data '0' with rule '0'
2022/03/11 08:31:05 sca[512] wm_sca.c:1840 at wm_sca_pattern_matches(): DEBUG: Testing minterm (0)(0) -> 1
2022/03/11 08:31:05 wazuh-agent[512] logcollector.c:361 at LogCollectorStart(): INFO: (1950): Analyzing file: 'C:\log\test.txt'.
2022/03/11 08:31:05 sca[512] wm_sca.c:2247 at wm_sca_winreg_querykey(): DEBUG: Considering value 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' -> 'crashonauditfail' == 'CrashOnAuditFail': Value found.
2022/03/11 08:31:05 wazuh-agent[512] logcollector.c:361 at LogCollectorStart(): INFO: (1950): Analyzing file: 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex220310.log'.
2022/03/11 08:31:05 sca[512] wm_sca.c:2299 at wm_sca_winreg_querykey(): DEBUG: Checking value data '0' with rule '0'
2022/03/11 08:31:05 sca[512] wm_sca.c:1840 at wm_sca_pattern_matches(): DEBUG: Testing minterm (0)(0) -> 1
2022/03/11 08:31:05 wazuh-agent[512] logcollector.c:361 at LogCollectorStart(): INFO: (1950): Analyzing file: 'C:\log\test.txt'.
Please, check on the manager side if you are receiving the log lines:
Configure <logall_json> as "yes" in the manager config:
# vi /var/ossec/etc/ossec.conf
...
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>yes</logall_json>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>yes</logall_json>
...
Restart the manager after that:
# systemctl restart wazuh-manager
Then, leave a tail in the archive.json file with some filtering like this for example:
# tail -f /var/ossec/logs/archives/archives.json | grep -i W3SVC1
Then write a line in the monitored file in the Wazuh agent machine, press enter and save the file and, after some seconds, check if you have a new entry in the previous tail.
If you don't receive anything, you might have a connectivity issue between the Wazuh agent and the manager. You can do tcpdump in the Wazuh manager to check if you are receiving data in the corresponding port 1514:
# tcpdump -i <interface_name> src <wazuh_agent_ip> port 1514
If you are not receiving anything in the manager, do a telnet to ensure connectivity to this port:
# telnet <manager_ip> 1514
If it is not connecting, you might need to review your Firewall config in the Wazuh agent, Wazuh manager and in any machine in between them.
I hope this helps.
Thanks
Ryan P
Jul 29, 2022, 9:39:46 AM7/29/22
to Wazuh mailing list
Galin, did you ever get this resolved? I'm having the same problem.
Thanks
Reply all
Reply to author
Forward
0 new messages