Wazuh Dashboard Login Events Collected in Archives but Custom Alert Not Generated (Wazuh 4.14.5)

[Jack Martin]

Hello Wazuh Support Team,

I hope you are doing well.

We are currently testing login monitoring for the Wazuh Dashboard and have encountered an issue where dashboard login events are being collected successfully, but custom alert generation is not working as expected.

Environment

• Wazuh Version: 4.14.5
• Operating System: Ubuntu
• Installation Method:

curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh
sudo bash ./wazuh-install.sh -a

• Single-node deployment
• Wazuh Manager, Indexer, and Dashboard installed on the same server

---

Objective

We want to generate a Wazuh alert whenever a user successfully logs into the Wazuh Dashboard.

Example:

Wazuh Dashboard Successful Login
User: <username>
Source IP: <ip>
Time: <timestamp>

This is required for SOC monitoring and access auditing.

---

What We Observed

Dashboard login events are being generated and collected successfully.

We can see events similar to:

{
  "program_name": "opensearch-dashboards",
  "message": "POST /api/login 200 63ms - 9.0B"
}

and

{
  "url": "/api/login",
  "statusCode": 200
}

These events are stored in:

/var/ossec/logs/archives/archives.json

Example command used:

grep -a 'POST /api/login' /var/ossec/logs/archives/archives.json

The login events are visible and continuously updated.

---

Custom Rule Created

We added the following rule in:

/var/ossec/etc/rules/local_rules.xml

<group name="wazuh_dashboard_login">

  <rule id="100555" level="10">
    <program_name>opensearch-dashboards</program_name>
    <match>POST /api/login 200</match>
    <description>Wazuh Dashboard Successful Login</description>
    <group>authentication_success,</group>
  </rule>

</group>

---

Validation Results

The rule matches successfully using:

sudo /var/ossec/bin/wazuh-logtest

Result:

Phase 1: Completed pre-decoding
program_name: opensearch-dashboards

Phase 2: Completed decoding

Phase 3: Completed filtering

id: 100555
description: Wazuh Dashboard Successful Login

Alert to be generated

---

Problem

Despite successful rule matching in wazuh-logtest:

• No alert appears in:

/var/ossec/logs/alerts/alerts.json

• No alert appears in:

/var/ossec/logs/alerts/alerts.log

• No dashboard alert is generated.

However, login events continue to be collected in:

/var/ossec/logs/archives/archives.json

---

Additional Information

Journald collection is enabled:

<localfile>
  <log_format>journald</log_format>
  <location>journald</location>
</localfile>

Dashboard service:

sudo systemctl status wazuh-dashboard

Status:

active (running)

---

Questions

1. Is monitoring Wazuh Dashboard login events through POST /api/login the recommended approach?
2. Is there a built-in decoder/rule available for Dashboard login monitoring?
3. Should OpenSearch Security Audit Logging be enabled instead?
4. Why does wazuh-logtest indicate that an alert will be generated while no event appears in alerts.json?
5. What is the recommended method to generate alerts for successful and failed Dashboard logins, including username and source IP?

---

We would appreciate any guidance or best practices regarding monitoring Wazuh Dashboard authentication events.

Thank you for your support.

SOC Analyst / Security Engineer
[Company Name]
Wazuh Version: 4.14.5
Ubuntu Server

[Stuti Gupta]

Hi Jack,

The rule looks good to me. Please share the full log from the archives.json, for testing purpose. 

cat /var/ossec/logs/archives/archives.json | grep <keyword from the log>

Note: archives will consume lots of disk space, and it is not recommended for the production environment. Please disable it once the issue is resolved. 

Once you share the log I will test it at my end and will let you know the reason why there was no alert for this.

To know more about rules please refer to https://documentation.wazuh.com/current/user-manual/ruleset/rules/index.html

Looking forward to your response.

[Jack Martin]

Hello Wazuh Support Team,

Thank you for your response.

I am currently working on collecting and validating the complete logs from archives.json and will share them shortly for your testing.

In the meantime, could you please advise if there is any alternative or recommended method for monitoring Wazuh Dashboard login events and generating alerts for successful and failed logins? 

This was i have do because in over soc environment 10 anylist was there and we have to give monitoring shift so if the login was see unusual so we have investigated that as well.

I appreciate your guidance and will provide the requested logs as soon as possible.

Best regards,

Jack

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/c660653e-b6c2-40f8-a8c7-2ae4fa9061d4n%40googlegroups.com.

[Stuti Gupta]

Hi  Jack,

To enable audit logs of the dashboard, you must have plugins.security.audit.type: internal_opensearch in the file /etc/wazuh-indexer/opensearch.yml

Then check the option "Enable audit logging" under the hamburger icon > Indexer management > Security > Audit logs. From this page, you can edit the settings for audit logs too. If you want the authenticated events to appear, you will have to make sure this is not disabled in General Settings.


For a full list of the types of events, you can check the official documentation for Audit logs:
https://opensearch.org/docs/1.2/security-plugin/audit-logs/index/#tracked-events

The last step to visualize these events is to make sure the index pattern for security-auditlog* is created, expand the hamburger icon > Dashboard management > Dashboards Management >  Index patterns, in case there is no security-auditlog* already created, then you have to create it.

You will be able to visualize the events from Dashboards > Discover, make sure you select the security-auditlog* index pattern.