Open
Description
Hi team,
As part of wazuh/wazuh#5628 new options have been added to the Logcollector configuration in order to be able to ignore and restrict specific log entries.
The added options are:
- ignore
- restrict
In the configuration they are defined as follows:
<localfile>
<log_format>json</log_format>
<location>/testignore.log</location>
<ignore type="pcre2">regex_value</ignore>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/testrestrict.log</location>
<restrict type="osregex">regex_value</restrict>
</localfile>
Every tag includes a value and a type. Also, more than one tag can be added to the same localfile.
When requesting the active configuration, new options are defined as follows:
- For the following configuration:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/file.log</location>
<ignore type="pcre2">value1</ignore>
<ignore type="osmatch">vale2</ignore>
<restrict type="osregex">value3</restrict>
</localfile>
- API output:
# curl -k -X GET "https://localhost:55000/manager/configuration/logcollector/localfile?pretty=true" -H "Authorization: Bearer $TOKEN"
{
"data": {
"affected_items": [
{
"localfile": [
{
"file": "/var/log/file.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
"target": [
"agent"
],
"ignore": [
{
"value": "value1",
"type": "pcre2"
},
{
"value": "vale2",
"type": "osmatch"
}
],
"restrict": [
{
"value": "value3",
"type": "osregex"
}
]
}
]
}
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "Active configuration was successfully read",
"error": 0
}
Best regards,
Chema.