Analyze the contents of every csv files in a specific folder when its added and send logs to manager

332 views
Skip to first unread message

Supragya Karki

unread,
Jul 24, 2021, 2:28:38 PM7/24/21
to Wazuh mailing list
What I want is, 

I have a folder CSV which is empty. Now, I want to analyze each '.csv' files being added in this folder, not file integrity monitoring but I want to analyze whole contents of the file. 
In short, I want to send the contents of every csv files as logs to wazuh manager which are being added in the CSV folder.  
This is my current configuration but this only parsed the logs to manager whenever any modification occurs inside any csv files in that folder. I want all the logs of files parsed to wazuh manager whenever the file gets added in the folder.
<localfile>
    <log_format>syslog</log_format>
    <location>/my/path/*.csv</location>
  </localfile>

Please help me with this.
 (I am well known that I might have to write decoders and rules or jeson value can work for that. I will figure it out once I get idea for this)

Jose Antonio Izquierdo

unread,
Jul 25, 2021, 10:55:41 AM7/25/21
to Wazuh mailing list
Hi, 

Logcollector will work only with new lines in any file inside the desired folder. 

If you copy of move a file like "file1.csv" to that folder, it will be monitored by wazuh's logcollector for new lines, but won't read previous existing lines. Instead of that, 
You can manage this by injecting new files in that folder instead of coping or moving them in, something like a "cat file1.csv >> /my/path/file1.csv " or make your source service to write directly csv lines to files in that folder.

Ping here if you need help with that.

Thanks

Supragya Karki

unread,
Jul 27, 2021, 3:43:09 AM7/27/21
to Wazuh mailing list
Hey!
Thank you for such a quick response. I understand. I have some queries regarding this:

1. Can we convert the csv file into json format so that it can be parsed to wazuh without missing anything from csv file?
2. (Actual reason behind this topic) Is it possible to parse the csv file generated from nessus directly or indirectly to wazuh? I want to send the contents of that csv file to wazuh so that it can decode and check for certain rules and finally visualize via kibana dashboard.

Waiting for the response so eagerly!

Supragya Karki

unread,
Aug 1, 2021, 8:08:19 AM8/1/21
to Wazuh mailing list
Waiting for the response Sir!

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bbe8cb03-7882-48f0-8f60-2c90bc0564e4n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages