Issues with Journald Logs and Wazuh Log Collector in Version 4.9.2

[LUAN BRAZ]

Hello, I installed the latest version (4.9.2) of wazuh and its agents on all our production servers, but I noticed that the journald logs stopped arriving on the dashboard, as detailed in this link https://github.com/wazuh/wazuh/issues/26778

For it to work, I have to restart the agents on each server/workstation and I am concerned that disk usage is increasing because the files are not being deleted due to the problem with the wazuh log collector.

Can anyone give me some guidance on how to fix it or until a fix is ​​released?

Thanks.

[Bony V John]

Hello Luan,

Could you please run the following commands on the Wazuh manager and share the output for further investigation:

journalctl -u systemd-journald | tail -4

ps auxfww | grep wazuh-log
grep -ri 'logcoll.*reload' /var/ossec/etc/
stat /var/ossec/etc/internal_options.conf
cat /var/ossec/logs/ossec.log | grep "read_syslog"

Regards,

[LUAN BRAZ]

Hello Bony, thank you for your attention in resolving my problem, below is the result of the requested command:

nov 18 00:07:29 vazo systemd-journald[526]: Received client request to flush runtime journal.
nov 18 00:07:29 vazo systemd-journald[526]: /var/log/journal/eecd26ba9cc84748a85d14a22cf91232/system.journal: Journal file uses a different sequence number ID, rotating.
nov 18 00:07:29 vazo systemd-journald[526]: Rotating system journal.
nov 29 01:39:04 vazo systemd-journald[526]: /var/log/journal/eecd26ba9cc84748a85d14a22cf91232/user-1000.journal: Journal file uses a different sequence number ID, rotating.
root        1847  0.0  0.5 668784 48100 ?        Sl   nov18   1:40 /var/ossec/bin/wazuh-logcollector
root      182320  0.0  0.0   6676  2304 pts/0    S+   21:19   0:00                      \_ grep --color=auto wazuh-log
/var/ossec/etc/internal_options.conf:logcollector.force_reload=0
/var/ossec/etc/internal_options.conf:logcollector.reload_interval=64
/var/ossec/etc/internal_options.conf:logcollector.reload_delay=1000
  File: /var/ossec/etc/internal_options.conf
  Size: 14480           Blocks: 32         IO Block: 4096   regular file
Device: 252,0   Inode: 2247798     Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (  110/   wazuh)
Access: 2024-12-02 11:48:42.003681343 +0000
Modify: 2024-10-28 15:31:52.000000000 +0000
Change: 2024-11-09 20:07:32.426371937 +0000
 Birth: 2024-11-09 20:07:03.106790934 +0000

Thanks,

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/28eec607-bf98-4c91-a474-89f926bc9f7dn%40googlegroups.com.

--

Luan Philipe Herculano Braz

Coordenador de Gestão de Tecnologia da Informação

Portaria nº 1949 de 05 de junho de 2023

IFBA Campus Euclides da Cunha

CGTI - IFBA Campus Euclides da Cunha

Avalie nosso atendimento: https://forms.gle/wpqSXXRrUugp1pf28

Envie uma sugestão: https://forms.gle/jJzoPAS1wywcjCwj7

[Bony V John]

Hi Luan,

It seems that this issue might be related to journald log rotation. I kindly request you to create a new GitHub issue describing your problem. Please include details such as the Wazuh version, your operating system and its version, and the relevant logs. Like this https://github.com/wazuh/wazuh/issues/26778

In the meantime, you can monitor system logs in Wazuh using the <localfile> option. Configure the <localfile> directive to forward logs from /var/log/syslog and /var/log/auth.log files, as shown below:

  <localfile>

    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

If you cannot find these log files on your system, it may indicate that your operating system is not saving these files locally. In that case, you can use services such as rsyslog or syslog-ng to monitor and write logs locally. Once the logs are saved locally, you can use the <localfile> option to monitor and forward the system logs to Wazuh.

I hope this helps! Let me know if you have any further questions.

Regards,

[LUAN BRAZ]

Hi Bony, thank you for your attention, my friend.

I created a new issue (#27151) on github as instructed and will wait for the fix.

Could you please guide me on how to configure the Wazuh agents to restart after the journald rotation? Wouldn't this be a better alternative solution while I wait for the fix? This alternative solution with localfile would be a bit of work since there are dozens of servers and each one has different log configuration and files, so it won't be as good as with journald.

Regards,

Luan

You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/xjuzLPvE-Qg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/c7f129a8-a3e1-4d89-ad6e-449e32b0cde3n%40googlegroups.com.

[Bony V John]

Hi Luan,

To configure all agents, you can use the Wazuh centralized agent configuration. Start by grouping the agents with the same operating system or version into a single group. Then, add the localfile configuration block to the agent.conf file in the shared configuration for that group.

Here are screenshots for reference:

Regarding restarting agents after journald log rotation, you can create a custom script to restart the Wazuh agent. You can then configure this script to run as a cron job, triggering it after the log rotation is completed.

I hope this helps! Let me know if you have any further questions related to Wazuh. 

Regards,