I am using NGINX in my setup, and wazuh for IDS.
I want to check all nginx logs (access/error) logs in wazuh kibana, but I am unable to do so.
All the logs are forwarded to " /var/ossec/logs/archives/archives.log ", and they are not visible in wazuh/kibana.
Do I have to add any changes in rules.
you will be only able to see logs which breaker a rule. Those alerts can be found in /var/ossec/logs/alerts . In /var/ossec/logs/archive you can find all the logs even if it didn't broke any rule. By default logstash will only send logs in alerts folder.
As Vishnu ks said Kibana will only show you logs when they break a rule. If you want to see every log you can open the archives.log file, you can find it there:
/var/ossec/logs/archives/archives.log
Nevertheless, by default wazuh won't put a single log there cause you have to indicate it in the ossec.conf file. You can configure this easily by doing:
vi /var/ossec/etc/ossec.conf
And there find the global section and change logall's value to yes.
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
**<logall>yes</logall>**
<logall_json>no</logall_json>
Now, restart the wazuh-manager by calling:
systemctl restart wazuh-manager
And finally you will be able to see every log inside the archives.log file.
Hope it helps.
To see the logs on kibana, your log must hit rules and must generate an alert. If your log does not hit the ruleset, then it will not be shown in the kibana dashboard.
You can simple check and make sure your log file and decoder-rule position by usering ossec-logtest function. https://documentation.wazuh.com/3.13/user-manual/reference/tools/ossec-logtest.html
