Wazuh
Overview
Wazuh collects logs from the Wazuh manager by reading log files directly from the filesystem.
It automatically discovers and reads key Wazuh log files under the installation directory (default: /var/ossec/logs) and enriches logs with file metadata.
The collector uses the OpenTelemetry filelog receiver and persists read offsets so log collection stays reliable across restarts.
Supported platforms
- Linux:
Logs
Configuration
| Parameter | Type | Default | Required | Description |
|---|---|---|---|---|
| installation_directory | string | /var/ossec | No | Root directory where the Wazuh manager is installed. Logs are read from <installation_directory>/logs/. |
| poll_interval | string | 200ms | No | Interval between filesystem scans to detect new or updated log files. |
| start_at | string | end | No | Determines where to start reading logs when the source starts (beginning or end). |
Example Configuration
{
"installation_directory": "/var/ossec", // default
"poll_interval": "200ms", // default
"start_at": "end", // default: start from newest logs
}