Cant monitor audit.log with whazuh
196 views
Skip to first unread message
Iago Canez Medeiros
Aug 14, 2023, 4:02:21 PM8/14/23
to Wazuh mailing list
Hello everyone.
I configured the Auditd to have the agent read the logs and forward to the server but it didn't get it to work
I used the documentation as recommended. I put as keys and the file to be cute but it didn't work
output commands:
auditctl -l:
-w /etc/apparmor -p or -k MAC-policy
-w /etc/apparmor.d -p wa -k MAC policy
-w /etc/group -p or -k identity
-w /etc/passwd -p or -k identity
-w /etc/gshadow -p or -k identity
-w /etc/shadow -p or -k identity
-w /etc/security/opasswd -p or -k identity
-w /var/log/loadlog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /etc/sudoers -p or -k scope
-w /etc/sudoers.d -p or -k scope
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /etc/issue -p or -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p or -k system-locale
-w /etc/networks -p or -k system-locale
-w /etc/network -p or -k system-locale
-w /etc/localtime -p of -k time-change
-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation
-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation
-a always,exit -F arch=b64 -S execve -F euid=0 -F key=audit-wazuh-c
-a always,exit -F arch=b32 -S execve -F euid=0 -F key=audit-wazuh-c
Keys:
audit - wazuh - w : write
audit - wazuh - r : read
audit-wazuh - a : attribute
audit - wazuh - x : execute
audit - wazuh - c : command
Ossec File:
< ossec_config >
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>\
I configured the Auditd to have the agent read the logs and forward to the server but it didn't get it to work
I used the documentation as recommended. I put as keys and the file to be cute but it didn't work
output commands:
auditctl -l:
-w /etc/apparmor -p or -k MAC-policy
-w /etc/apparmor.d -p wa -k MAC policy
-w /etc/group -p or -k identity
-w /etc/passwd -p or -k identity
-w /etc/gshadow -p or -k identity
-w /etc/shadow -p or -k identity
-w /etc/security/opasswd -p or -k identity
-w /var/log/loadlog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /etc/sudoers -p or -k scope
-w /etc/sudoers.d -p or -k scope
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /etc/issue -p or -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p or -k system-locale
-w /etc/networks -p or -k system-locale
-w /etc/network -p or -k system-locale
-w /etc/localtime -p of -k time-change
-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation
-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation
-a always,exit -F arch=b64 -S execve -F euid=0 -F key=audit-wazuh-c
-a always,exit -F arch=b32 -S execve -F euid=0 -F key=audit-wazuh-c
Keys:
audit - wazuh - w : write
audit - wazuh - r : read
audit-wazuh - a : attribute
audit - wazuh - x : execute
audit - wazuh - c : command
Ossec File:
< ossec_config >
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>\
I have do something wrong?
Thanks.
Thanks.
Osern Sennte
Aug 28, 2023, 5:00:21 AM8/28/23
to Wazuh | Mailing List
Hi, I have a similar issue: auditd writes audit.log, logcollector is configured to read it, but messages are no forwarded to server.
Which OS and Version are you using?
Regards
Jörg Schindler
Aug 29, 2023, 7:25:58 AM8/29/23
to Wazuh | Mailing List
Hey,
you should check first if wazuh get any error from collecting logs:
cat /var/ossec/logs/ossec.log | grep audit
wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auditd/audit.log'.
wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auditd/audit.log'.
should be the output.
I had made the mistake that the log belonged to the user root and the group adm. Maybe thats your problem, too.
I had made the mistake that the log belonged to the user root and the group adm. Maybe thats your problem, too.
Check the permissions:
By default on Ubuntu22.04 it will be root:adm i guess it's same in CentOS
By default on Ubuntu22.04 it will be root:adm i guess it's same in CentOS
You can change that in the auditd.conf.
cat /etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#
# auditd will log on a tmpfs mountet on /var/log/audit_tmpfs
local_events = yes
write_logs = yes
log_file = /var/log/auditd/audit.log
log_group = wazuh
# This file controls the configuration of the audit daemon
#
# auditd will log on a tmpfs mountet on /var/log/audit_tmpfs
local_events = yes
write_logs = yes
log_file = /var/log/auditd/audit.log
log_group = wazuh
That was my big misstake, takes me hours to fix it.
Hope that will helps :)
Reply all
Reply to author
Forward
0 new messages