wazuh-logcollector not reading a custom file
458 views
Skip to first unread message
Atul Chadha
Nov 9, 2022, 4:37:05 AM11/9/22
to Wazuh mailing list
I have created a custom script to check if newer kernel version is available from our patching system and want to inform our monitoring team of those.
I am writing the below line in a log file
ossec: output: Newer kernel version available 3.10.0-1160.71.1.el7 , current version is 3.10.0-1160.53.1.el7"
Everything works great except for the fact that the logcollector is not reading the changes , i am assuming the logcollector reads the configured log files for last line changes and report the same
2022/11/09 04:23:26 wazuh-logcollector[22017] logcollector.c:1256 at set_read(): DEBUG: Socket target for '/var/log/wazuh-kernel-check' -> agent
2022/11/09 04:23:26 wazuh-logcollector[22017] logcollector.c:379 at LogCollectorStart(): INFO: (1950): Analyzing file: '/var/log/wazuh-kernel-check'.
2022/11/09 04:26:22 wazuh-logcollector[22572] logcollector.c:1256 at set_read(): DEBUG: Socket target for '/var/log/wazuh-kernel-check' -> agent
2022/11/09 04:26:22 wazuh-logcollector[22572] logcollector.c:379 at LogCollectorStart(): INFO: (1950): Analyzing file: '/var/log/wazuh-kernel-check'.
The file has permissions and i am not able to understand why it would not report the changes. Alerts are triggered with all variables i need if i do /var/ossec/bin/wazuh-logtest on Wazuh master
Any idea what may be wrong ?
Wazuh is running on
wazuh-manager-4.3.6-1.x86_64
Andres Micalizzi
Nov 9, 2022, 6:44:44 AM11/9/22
to Wazuh mailing list
Hi Atulchadha,
logcollector seems to be detecting the changes, hence the "Analizing /var/log/wazuh-kernel-check' messages, but is not reading any lines. I would try to put logcollector in debug mode, to make sure it is reading the logs.When it reads a line and tries to decode it, you get something like this:
2022/11/07 20:30:09 wazuh-logcollector[6874] read_syslog.c:104 at read_syslog(): DEBUG: Reading syslog message: 'Feb 14 12:19:04 localhost sshd[25474]:'
2022/11/07 20:30:09 wazuh-logcollector[6874] read_syslog.c:150 at read_syslog(): DEBUG: Read 1 lines from /test.log
logcollector seems to be detecting the changes, hence the "Analizing /var/log/wazuh-kernel-check' messages, but is not reading any lines. I would try to put logcollector in debug mode, to make sure it is reading the logs.When it reads a line and tries to decode it, you get something like this:
2022/11/07 20:30:09 wazuh-logcollector[6874] read_syslog.c:104 at read_syslog(): DEBUG: Reading syslog message: 'Feb 14 12:19:04 localhost sshd[25474]:'
2022/11/07 20:30:09 wazuh-logcollector[6874] read_syslog.c:150 at read_syslog(): DEBUG: Read 1 lines from /test.log
You can put logcollector in debug mode by adding logcollector.debug=2 to /var/ossec/etc/local_internal_options.conf.
A possible cause is that you have a new empty line at the end of your logfile, when you add the new logs, that causes logcollector to not detect lines properly.
What method are you using to insert the logs? I would try with an empty logfile, restart the manager and use:
What method are you using to insert the logs? I would try with an empty logfile, restart the manager and use:
echo log-message >> file-path
This way it adds it to the end of the file in a new line, with no new empty lines in the end. If this works, you may need to check how you are injecting the logs.
I hope this helps you resolve your question. In case of any further doubt do not hesitate to ask.
Cheers,
Andrés
Atul Chadha
Nov 9, 2022, 12:04:45 PM11/9/22
to Wazuh mailing list
You are right, something is wrong with the log file. I am debugging it further, appreciate your prompt response !
Reply all
Reply to author
Forward
0 new messages