Are login/logout logs really important?

[Don Judd]

Granted, I am a new user to Wazuh, and just trying to figure out if I really need thousands of minor logs per day of users logging in and out of the system.

I haven't even started looking into how I owuld eloiminate those, but before I do, are those really all that important? 

[Carlos Ezequiel Bordon]

Hi, I need a little more context to help you. Do you need to reduce the number of events the Wazuh agent is reporting? What version of Wazuh do you have? What are you trying to monitor?

[Don Judd]

Thanks for the reply Carlos. 

In my Dashboard I see 333,173 low severity alerts for the last 24 hours. Almost all of those are login or logout notifications.

data.win.system.message

"An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: LSHW-6VH4ND3$ Account Domain: WICK Logon ID: 0x3E7

My question is, are these actually important, or should I really consider filtering these out to avoid analysis paralysis?

Don Judd

IT Director

Wick Communications 

520.226.5450 (Cell)

520.515.5991 (Desk)

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/U2m1b7SHoZo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/76b928ae-23a3-4d97-9dd1-191a9e5bf4ecn%40googlegroups.com.

[Carlos Ezequiel Bordon]

Yes, you can modify the minimum level of alerts reported. Here is the guide on how to modify this option: https://documentation.wazuh.com/current/user-manual/manager/alert-management.html#alert-threshold

By default, Wazuh is configured to generate alerts when the severity level is 3 or higher.

Another option is to modify the alerts to change their severity. I share the guide here: https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html

[Don Judd]

Thank you sir, but my question is this, is there any real value in seeing login and log out reports? 

Don Judd

IT Director

Wick Communications 

520.226.5450 (Cell)

520.515.5991 (Desk)

To view this discussion visit https://groups.google.com/d/msgid/wazuh/93f54c49-426f-45c9-ad1a-b16619778e49n%40googlegroups.com.

[Carlos Ezequiel Bordon]

The value of this information is given by the Wazuh user, who can establish and take certain actions to protect their environment by analyzing this information. Here, for example, I can share with you the documentation of a POC on brute force, where you can see a practical case where these types of alerts are taken and actions are executed accordingly: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.html

[Don Judd]

Thank you very much sir. That's what I wanted to know. 

Don Judd

IT Director

Wick Communications 

520.226.5450 (Cell)

520.515.5991 (Desk)

To view this discussion visit https://groups.google.com/d/msgid/wazuh/c203efc1-f055-4ef3-8a0f-6f6658bc877en%40googlegroups.com.