Based on the details you shared, you’re trying to monitor .log files under /var/log/nginx/ using localfile monitoring, and you’ve tried different values under <log_format>.

The key point is: <log_format> must match the actual format of the log lines inside the file.

• If the log lines are JSON - use json
• If the log lines look like syslog-style text - use syslog
  You can refer to the Wazuh documentation for supported <log_format> values and examples.

First, check the log format inside the log file that you are trying to monitor and configure the <log_format> accordingly.
For example, if the log format inside all the log files in the /var/log/nginx/ directory is syslog, then your configuration should look like below in the /var/ossec/etc/ossec.conf file on the agent:

<localfile>
  <location>/var/log/nginx/*.log</location>
  <log_format>syslog</log_format>
</localfile>

Then restart the Wazuh agent to apply the configuration:

systemctl restart wazuh-agent

After that, the agent will start monitoring the log files inside the /var/log/nginx/ directory (with .log extension) and forward the logs to the Wazuh manager for analysis.

Note that, to trigger alerts and show them on the dashboard based on the events from the monitored log files, there should be decoders and rules on the Wazuh manager. If the events match the default decoders and rules in Wazuh, then alerts will be shown on the dashboard. If not, you should create custom decoders and rules based on the log format.

To check if the default decoders and rules match the events, you can run a log test.
On the Wazuh dashboard, click on the hamburger icon (top left) > Server management > Ruleset Test, then copy a log line from the monitored log file, paste it there, and run the test. If it shows Phase 3 and the rule level is 3 or above, we can confirm that the default decoders and rules will work. If not, you need to create custom rules. If Phase 2 is also not showing, you need to create a custom decoder as well.

You can refer the following documentation for decoder and rule creation:

• Refer this Wazuh documentation for understanding regex patterns for matching values.
• Refer Wazuh decoder syntax documentation for creating a decoder.
• For creating rules, you can refer to the Wazuh rules syntax documentation.

If you need further assistance, please let us know. Also, please share the following details:

• Share your Wazuh agent ossec.conf file.
• Share the Wazuh agent ossec.log file.
• Sample logs from the monitored log file.