Wazuh agent not reading new iis logs

622 views
Skip to first unread message

Domagoj Batinic

unread,
Jan 9, 2023, 4:50:50 AM1/9/23
to Wazuh mailing list
Hello Wazuh team,

I have a question regarding reading iis logs.
My agent.conf for iis is :

<localfile>
<log_format>iis</log_format>
<location>C:\inetpub\logs\LogFiles\W3SVC1\u_ex%y%m%d.log</location>
<age>1d</age>
</localfile>

And this works ok for a current day, but there is a problem when u_ex rotates into a new day,
Wazuh trys to read a new log around midnight but WIN server creates u_ex around 01:00 AM

So I get this error:


2023/01/07 00:01:33 wazuh-agent: INFO: (1904): File not available, ignoring it: 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex230107.log'.
This log file u_ex230107 is created on 01:00h AM

In the morning when I restart Wazuh agent, it reads u_ex230107 without any problem.

I have tried with forceing log reread with on manager but it does not work.


# Force file handler reloading: close and reopen monitored files

# 0: Disabled

# 1: Enabled

logcollector.force_reload=1

 

# File reloading interval, in seconds, if force_reload=1 [1..86400]

# This interval must be greater or equal than vcheck_files.

logcollector.reload_interval=3600



Can you please advise how to read new iss log files?

Regards

Domagoj
--

WebRep
Overall rating
 

Domagoj Batinic

unread,
Jan 9, 2023, 5:00:07 AM1/9/23
to Wazuh mailing list
P.S

This issue is like already reported issue https://groups.google.com/g/wazuh/c/fCZ2yMM1ciU

Regards.

Domagoj

Miguel Verdaguer Velazquez

unread,
Jan 9, 2023, 8:27:49 AM1/9/23
to Wazuh mailing list
Hi Domagoj,
Thanks for using Wazuh.

As seen in the other thread you have mentioned, those options are not going to help you, as they force the reload of monitored files. The option that probably helps you is `logcollector.open_attempts`. As seen in the documentation, when setting it to 0, the number of times the logcollector tries to open a file is infinite, it will continue until the file exists.

Regards,
Miguel Verdaguer

Domagoj Batinic

unread,
Jan 11, 2023, 7:26:04 AM1/11/23
to Wazuh mailing list

Hello Miguel,

Thank you for your help.

I have set parametar

logcollector.open_attempts = 0


I will report back tommorow if this helps.


Regards.


Domagoj

Domagoj Batinic

unread,
Jan 13, 2023, 2:48:19 AM1/13/23
to Wazuh mailing list
Hello Miguel,

So these are my tests with option

logcollector.open_attempts = 0


1. If I set option

logcollector.open_attempts = 0


with localfile configuration:

<localfile>
        <log_format>iis</log_format>
        <location>C:\inetpub\logs\LogFiles\W3SVC1\u_ex23*</location>
        <age>1d</age>
    </localfile>

The iis logs for the new day are being collected and everything works as excpected.



2. If I set option

logcollector.open_attempts = 0


with localfile configuration:

<localfile>
        <log_format>iis</log_format>
        <location>C:\inetpub\logs\LogFiles\W3SVC1\u_ex%y%m%d.log</location>
        <age>1d</age>
    </localfile>

The agent does not read a iss log for the new day.
Here is the log from agent:


full_log
2023/01/13 00:09:30 wazuh-agent: INFO: (1904): File not available, ignoring it: 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex230113.log'.


This is the last check for new iis log u_ex230113.log.

Regards.

Domagoj

Miguel Verdaguer

unread,
Jan 13, 2023, 10:59:03 AM1/13/23
to wa...@googlegroups.com

Hi Domagoj,

Using the given option in the agent's /var/ossec/etc/internal_options.conf, it should eventually analyse the file, but every time it tries until it exists, an error will show, telling you it has looked for it but hasn't found it. This error is expected as the file doesn't exist yet, you can see the log is from 00:09 and the file is expected to be created at 01:00.

To test it is found at some moment, change option logcollector.debug to value 2 (No message will be shown when it is found, but there will be a message for every time it has looked previously). If it doesn't work, you could also set logcollector.open_attempts=100, or even bigger, and it will retry to open the file 100 times, once each 64 seconds, which you can change with option logcollector.vcheck_files.

Best regards,

Miguel

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a3dec32e-da03-48bd-ae23-3ffc5f5c1e8cn%40googlegroups.com.

Domagoj Batinic

unread,
Jan 16, 2023, 3:11:49 AM1/16/23
to Miguel Verdaguer, wa...@googlegroups.com
Hello Miguel,

Thank you...
I will test and report back.

Regards.

Domagoj

You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/y2De_tsy4pQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e7222ba5-e4c6-1908-e40c-5ad017c0a827%40wazuh.com.
Reply all
Reply to author
Forward
0 new messages