Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ignore and restrict options to localfile configuration #4628

Closed
chemamartinez opened this issue Sep 29, 2022 · 1 comment · Fixed by #5203, #5223 or #5224
Closed

Add ignore and restrict options to localfile configuration #4628

chemamartinez opened this issue Sep 29, 2022 · 1 comment · Fixed by #5203, #5223 or #5224
Assignees
@yenienserrano
Labels
type/enhancement Enhancement issue

Comments

@chemamartinez
Copy link
Contributor

chemamartinez commented Sep 29, 2022
edited
Loading

Hi team,

As part of wazuh/wazuh#5628 new options have been added to the Logcollector configuration in order to be able to ignore and restrict specific log entries.

The added options are:

  • ignore
  • restrict

In the configuration they are defined as follows:

  <localfile>
    <log_format>json</log_format>
    <location>/testignore.log</location>
    <ignore type="pcre2">regex_value</ignore>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/testrestrict.log</location>
    <restrict type="osregex">regex_value</restrict>
  </localfile>

Every tag includes a value and a type. Also, more than one tag can be added to the same localfile.

When requesting the active configuration, new options are defined as follows:

  • For the following configuration:
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/file.log</location>
    <ignore type="pcre2">value1</ignore>
    <ignore type="osmatch">vale2</ignore>
    <restrict type="osregex">value3</restrict>
  </localfile>
  • API output:
# curl -k -X GET "https://localhost:55000/manager/configuration/logcollector/localfile?pretty=true" -H "Authorization: Bearer $TOKEN"
{
   "data": {
      "affected_items": [
         {
            "localfile": [
               {
                  "file": "/var/log/file.log",
                  "logformat": "syslog",
                  "ignore_binaries": "no",
                  "only-future-events": "yes",
                  "target": [
                     "agent"
                  ],
                  "ignore": [
                     {
                        "value": "value1",
                        "type": "pcre2"
                     },
                     {
                        "value": "vale2",
                        "type": "osmatch"
                     }
                  ],
                  "restrict": [
                     {
                        "value": "value3",
                        "type": "osregex"
                     }
                  ]
               }
            ]
         }
      ],
      "total_affected_items": 1,
      "total_failed_items": 0,
      "failed_items": []
   },
   "message": "Active configuration was successfully read",
   "error": 0
}

Best regards,
Chema.
@chemamartinez chemamartinez added the type/enhancement Enhancement issue label Sep 29, 2022
@snaow snaow added this to the Release 4.5.0 milestone Nov 16, 2022
@snaow snaow removed this from the Release 4.5.0 milestone Dec 21, 2022
@yenienserrano yenienserrano mentioned this issue Feb 9, 2023
Merged
6 tasks
@yenienserrano yenienserrano linked a pull request Feb 9, 2023 that will close this issue
Add ignore and restrict fields #5203
Merged
6 tasks
This was linked to pull requests Feb 23, 2023
[Backport 4.5-7.10] Add ignore and restrict fields #5223
Merged
[Backport 4.5-7.16] Add ignore and restrict fields #5224
Merged
@yenienserrano
Copy link
Member

Solve: #5203

@wazuhci wazuhci moved this to Done in Release 4.5.0 Apr 21, 2023
@wazuhci wazuhci moved this to Done in Release 4.6.0 Jun 26, 2023
@wazuhci wazuhci removed this from Release 4.5.0 Jun 26, 2023
@AlexRuiz7 AlexRuiz7 mentioned this issue Sep 8, 2023
Closed
8 tasks
@asteriscos asteriscos mentioned this issue Sep 27, 2023
Closed
2 tasks
@Tostti Tostti mentioned this issue Oct 10, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yenienserrano yenienserrano

Labels
type/enhancement Enhancement issue
Projects
No open projects
Release 4.6.0
Status: Done
Milestone
No milestone
3 participants
@snaow @chemamartinez @yenienserrano