Log Data Collection
Log data collection is the process of gathering and consolidating logs from various sources within a network. This process is essential for organizations to maintain visibility into their IT infrastructure, ensure security, and meet compliance requirements.
Configuration for monitoring log files
You can use a local configuration file on the Argus agent or Argus server to monitor log files. There is also a centralized configuration file on the Argus server to monitor log files across multiple endpoints. These two configuration options for monitoring log files are explained below.
Local configuration: The ossec.conf file is the main configuration file on the Argus server and the Argus agent. The Argus agent collects logs from monitored endpoints and forwards these logs to the Argus server for analysis. You can configure the Argus agent ossec.conf file to collect logs from specific log files on a monitored endpoint. The table below shows the location of the ossec.conf file on different operating systems.
| Operating systems | Location of the ossec.conf file |
| Windows | C:\Program Files (x86)\ossec-agent\ossec.conf |
| Linux/Unix | /var/ossec/etc/ossec.conf |
| macOS | /Library/Ossec/etc/ossec.conf |
Centralized configuration: The agent.conf file on the Argus server enables centralized distribution of configuration settings to multiple monitored endpoints in the same operating system or group. For example, you can configure the agent.conf file to distribute configuration settings to all monitored Windows endpoints. Configuration settings in the agent.conf file take precedence over the settings in the ossec.conf file.
Monitoring basic log files
You can configure the Argus agent ossec.conf file on Windows, Linux, and macOS endpoints to monitor basic log files.
For example, perform the following steps to monitor the file file.log.
- Add the following settings in between the <ossec_config> tags of the Argus agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
<localfile>
<location>/<FILE_PATH>/file.log</location>
<log_format>syslog</log_format>
</localfile>
Where:
- location: is the full path of the monitored file.
- log_format: represents the format of the log.
- Restart the Argus agent with administrator privileges to apply the configuration change:
- Linux: systemctl restart Argus-agent
- Windows (PowerShell): Restart-Service -Name Argus
- macOS: /Library/Ossec/bin/Argus-control restart
Monitoring date-based log files
You can configure Argus to dynamically monitor log files on endpoints, adapting to changes based on the date. It employs the strftime format to accurately represent date-based log files, encompassing day, month, year, and other relevant information. Perform the following steps to monitor a date-based log file file-24-06-15.log.
- Add the following settings in between the <ossec_config> tags of the Argus agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
<localfile>
<location>/<FILE_PATH>/file-%y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
In the file name file-24-06-15.log, 24 is the last two digits of the year, 06 is the month, and 15 is the day.
- Restart the Argus agent with administrator privileges to apply the configuration change:
- Linux: systemctl restart Argus-agent
- Windows (PowerShell): Restart-Service -Name Argus
- macOS: /Library/Ossec/bin/Argus-control restart
Monitoring log files using wildcard patterns
Argus offers support for wildcard patterns when monitoring log files, allowing for flexible file selection. For example, you can monitor all files ending with .log within a monitored endpoint’s directory. Perform the following steps to monitor every log file that starts with file and ends with .log in a directory of a monitored endpoint.
- Add the following settings in between the <ossec_config> tags of the Argus agent configuration file:
- Linux: /var/ossec/etc/ossec.conf
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- macOS: /Library/Ossec/etc/ossec.conf
<localfile>
<location>/<FILE_PATH>/file*.log</location>
<log_format>syslog</log_format>
</localfile>
- Restart the Argus agent with administrator privileges to apply the configuration change:
- Linux: systemctl restart Argus-agent
- Windows (PowerShell): Restart-Service -Name Argus
- macOS: /Library/Ossec/bin/Argus-control restart
Configuring syslog on the Argus server
The Argus server can receive logs using the Syslog protocol from devices like firewalls, switches, routers, and others that don’t support installing Argus agents. Follow these steps on the Argus server to set up Syslog to listen for incoming messages on a specific port.
- Add the following configuration in between the <ossec_config> tags of the Argus server /var/ossec/etc/ossec.conf file to listen for syslog messages on TCP port 514:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.2.15/24</allowed-ips>
<local_ip>192.168.2.10</local_ip>
</remote>
Where:
- <connection> specifies the type of connection to accept. This value can either be secure or syslog.
- <port> is the port used to listen for incoming syslog messages from endpoints. We use port 514 in the example above.
- <protocol> is the protocol used to listen for incoming syslog messages from endpoints. The allowed values are either tcp or udp.
- <allowed-ips> is the IP address or network range of the endpoints forwarding events to the Argus server. In the example above, we use 192.168.2.15/24.
- <local_ip> is the IP address of the Argus server listening for incoming log messages. In the example above, we use 192.168.2.10.
2. Restart the Argus manager to apply the changes:
systemctl restart Argus-manager
