Adding prefix for the Logs

[Mithun Haridas]

Hello team,

Is it possible to add a prefix for logs receiving from a particular path in Wazuh version 4.3.11.

Regards

[Bony V John]

Hi,

Please let me know how you are forwarding the logs and share more details about the process.

If you are forwarding the logs using the localfile monitoring capability in Wazuh, you can add a prefix to logs received from a specific path in Wazuh version 4.3.11.

To add a prefix, use the <label> tag while configuring localfile monitoring in the agent's /var/ossec/etc/ossec.conf file, as shown below:

<localfile>
  <location>/var/log/myapp/log.json</location>
  <log_format>json</log_format>
  <label key="@source">myapp</label>
  <label key="agent.type">webserver</label>
</localfile>

After adding the label tag, restart the Wazuh agent service using the following command:

systemctl restart wazuh-agent

You can refer to the Wazuh local configuration documentation for more details.

[Mithun Haridas]

Hi Bony,

I need to collect logs from multiple path of single agent.....trying to configure it via agent grouping from manager side ....is it possible to collect as syslog with customised format by placing <out_format>Agent123_custom : $(log)</out_format>

Thanks in advance

[Mithun Haridas]

Hi team,

Is there any update regarding this?

[Bony V John]

Hi,

Yes, it is possible to store syslog-format logs in a customized format using the <out_format> tag. This tag allows you to define how a log message should appear by using field substitution, pulling data like timestamp, hostname, log content, etc., and arranging it in a structured format.

You can refer to the Wazuh localfile configuration documentation for the configuration details and to check the available parameters.