Incorrect file ignoring due to modification time on windows #576
Description
| Wazuh version | Component | Install type | Install method | Platform |
|---|---|---|---|---|
| 4.10.1 | Logcollector | Agent | Packages | Windows 10 |
Description
The logcollector module is not gathering modification time correctly in Windows affecting the age option, ignoring incorrectly not expected files
Environment
- Agent configuration
<localfile>
<location>C:\Users\vagrant\u_ex250206_x.log</location>
<log_format>iis</log_format>
<age>1d</age>
</localfile>- Wazuh Agent and server version 4.10.1
How to replicate
- Include the localfile configuration block in a Windows agent configuration
- Enable debug in the local internal options (
windows.debug=1) - Create the
C:\Users\vagrant\u_ex250206_x.logfile and include some text. - Check modification time manually:
C:\Users\vagrant>dir /T:W u_ex250206_x.log
02/06/2025 10:35 AM 1,538 u_ex250206_x.log
1 File(s) 1,538 bytes
0 Dir(s) 116,448,886,784 bytes free
- Restart the wazuh agent
- Include a new line in the
C:\Users\vagrant\u_ex250206_x.logfile - Check that events are not collected
- Check that the file is being ignored:
2025/02/06 10:36:15 wazuh-agent[2648] logcollector.c:2194 at w_input_thread(): DEBUG: Ignoring file 'C:\Users\vagrant\u_ex250206_x.log' due to modification time
Evidences
Agent logs: ossec.log