DEV Community

Cover image for Wazuh: Centralized Logging with Error Notifications
Maksym
Maksym

Posted on

Wazuh: Centralized Logging with Error Notifications

#linux #wazuh #microservices

Introduction

Wazuh is an open-source security and monitoring platform that provides intrusion detection, log management, vulnerability detection, and incident response. It centralizes logs from diverse systems and applications, analyzes them in real time, and notifies teams when errors or suspicious activity occur. By combining log collection, rule-based detection, and alerting, Wazuh helps organizations improve visibility, security, and operational efficiency.

Centralized Logging

Wazuh agents collect logs from endpoints and forward them to the Wazuh manager, where they are aggregated and indexed (often in Elasticsearch). This allows administrators to monitor all system activity from a single location.

Configuration Example (multiple files):

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/syslog</location>
</localfile>

<localfile>
  <log_format>apache</log_format>
  <location>/var/log/apache2/error.log</location>
</localfile>

<localfile>
  <log_format>json</log_format>
  <location>/var/log/myapp/app.log</location>
</localfile>

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/auth.log</location>
</localfile>
Enter fullscreen mode Exit fullscreen mode

Handling Unknown or Dynamic Files

If you don’t know the exact file names in advance (e.g., rotating logs or dynamically generated files), Wazuh supports wildcards and directories:

<localfile>
  <log_format>syslog</log_format>
  <location>/var/log/*.log</location>
</localfile>

<localfile>
  <log_format>apache</log_format>
  <location>/var/log/apache2/*.log</location>
</localfile>

<localfile>
  <log_format>json</log_format>
  <location>/var/log/myapp/*.json</location>
</localfile>
Enter fullscreen mode Exit fullscreen mode

This ensures that any new log file matching the pattern is automatically monitored.

Error Detection Rules

Logs are analyzed against rules to detect anomalies and errors. Wazuh’s ruleset can be customized to match specific error patterns.

Example: Apache error detection

<rule id="100100" level="5">
  <decoded_as>apache_error</decoded_as>
  <description>Apache server error detected</description>
  <group>apache,errors</group>
  <match>Internal Server Error</match>
</rule>
Enter fullscreen mode Exit fullscreen mode

Generic error rule (for unknown files):

<rule id="100300" level="6">
  <description>Generic error detected in logs</description>
  <group>errors</group>
  <match>ERROR|FAIL|CRITICAL</match>
</rule>
Enter fullscreen mode Exit fullscreen mode

Notifications

Wazuh can notify teams via email, Slack, or other platforms. For example:

Email notification setup:

<global>
  <email_notification>yes</email_notification>
  <email_to>ops-team@example.com</email_to>
  <smtp_server>mail.example.com</smtp_server>
</global>
Enter fullscreen mode Exit fullscreen mode

Telegram Integration Example

Telegram is not built-in, but you can integrate it using a custom script in Wazuh’s integrations/ folder.

Python script (telegram.py):

#!/usr/bin/env python3
import sys
import json
import requests

# Replace with your bot token and chat_id
BOT_TOKEN = "123456789:ABC-DEF1234ghIkl-zyx57W2v1u123ew11"
CHAT_ID = "-1001234567890"  # group/channel ID or user ID

TELEGRAM_API_URL = f"https://api.telegram.org/bot{BOT_TOKEN}/sendMessage"

def send_telegram_message(message):
    payload = {
        "chat_id": CHAT_ID,
        "text": message,
        "parse_mode": "Markdown"
    }
    try:
        response = requests.post(TELEGRAM_API_URL, json=payload)
        if response.status_code != 200:
            print(f"Error sending message: {response.text}")
    except Exception as e:
        print(f"Exception: {e}")

def main():
    # Wazuh passes alert data to the script via stdin
    alert_json = sys.stdin.read()
    try:
        alert = json.loads(alert_json)
        # Customize the message format
        message = f"*Wazuh Alert*\n\nRule: {alert.get('rule', {}).get('description', 'N/A')}\nLevel: {alert.get('rule', {}).get('level', 'N/A')}\nAgent: {alert.get('agent', {}).get('name', 'N/A')}\nLog: {alert.get('full_log', 'N/A')}"
        send_telegram_message(message)
    except Exception as e:
        print(f"Failed to parse alert: {e}")

if __name__ == "__main__":
    main()
Enter fullscreen mode Exit fullscreen mode

Integration block in ossec.conf:

<integration>
  <name>telegram</name>
  <script>telegram.py</script>
  <alert_format>json</alert_format>
</integration>
Enter fullscreen mode Exit fullscreen mode

Example Workflow

  1. Wazuh agent monitors /var/log/*.log, /var/log/apache2/*.log, and /var/log/myapp/*.json.
  2. A new file error-2026-03-04.log appears with the string CRITICAL.
  3. The generic rule matches it.
  4. Wazuh raises an alert with severity level 6.
  5. The telegram.py script sends the alert to your Telegram group.
  6. Notification appears instantly in Telegram, allowing the team to respond.

Benefits

  • Centralized visibility: All logs collected in one place.
  • Real-time detection: Errors and anomalies caught instantly.
  • Automated notifications: Teams are alerted via email, Slack, or Telegram.
  • Scalability: Works across thousands of endpoints with clustering.
  • Flexibility: Wildcards and generic rules handle unknown or dynamic log files.

With this setup, Wazuh becomes a powerful centralized logger with error notifications, capable of sending alerts to multiple platforms — including Telegram — ensuring your team never misses critical issues.

Hopefully you find this article helpful. As always don't hesitate to like, share, leave a comment and if you find any inconvenience please let me know. Cheers

Top comments (0)