Agent Label for every IIS Log path
103 views
Skip to first unread message
Ömer Ünlü
Dec 2, 2021, 11:55:49 AM12/2/21
to Wazuh mailing list
Agent Label for every IIS Log path
Hello Team,
i have try to set labels with the Centralized configuration on some agents. My target is, that i want get for every IIS log path, specific labels. Unfortunately, as I read in the documentation, this only works with .json logs. Is there no way to attach the labels to any IIS logs?
my agent.conf:
<agent_config>
<localfile>
<location>D:\logs\http\W3SVC3\*.log</location>
<log_format>iis</log_format>
<label key="source.product">customer_ch_cms</label>
<label key="source.label">customer</label>
<label key="source.environment">prod</label>
<label key="source.type">cms</label>
<label key="source.subtype">cms</label>
<label key="source.name">customer_cms</label>
</localfile>
<localfile>
<location>D:\logs\http\W3SVC2\*.log</location>
<log_format>iis</log_format>
<label key="source.product">customer_ch_web</label>
<label key="source.label">customer</label>
<label key="source.environment">prod</label>
<label key="source.type">web</label>
<label key="source.subtype">website</label>
<label key="source.name">customer_web</label>
</localfile>
</agent_config>
I would like to mention again that I do not want the labels to be global on the agent,
but that on the agent each included path gets specific labels.
Best regards and Thank you!!
Matias Ezequiel Moreno
Dec 3, 2021, 11:57:37 AM12/3/21
to Wazuh mailing list
Hi, thanks for using Wazuh,
in order to help you let me asking with the team about your issue.
Thanks for you patience, I'm answering you the fastest possible.
Best Regards
in order to help you let me asking with the team about your issue.
Thanks for you patience, I'm answering you the fastest possible.
Best Regards
Matias Ezequiel Moreno
Dec 6, 2021, 2:20:52 PM12/6/21
to Wazuh mailing list
Hi, sorry for the delay,
I was discussing your case with the rest of the team and currently, as you mentioned well, the functionality of adding <label> is only active for JSON format logs.
At the moment there are no developments in progress so that this functionality can be understood for the rest of the log formats.
a possible solution but perhaps a bit complicated to do, would be to be able to use out_format.
Maybe that way you could modify the log but you will have to verify decoders and rules, in addition to having to create new decoders so that they can extract this new information.
perhaps in the future that functionality may be added to support different types of logs.
Best regards.
Reply all
Reply to author
Forward
0 new messages