Audit: process ended abnormally

[John Kondur]

Hi,

I am trying to figure out how to get the audit tab working when you look at the wazuh interface

You can see here in the past month it found nothing?   I am trying to get audit to work properly but I don't see anything in the logs.  I just want to make sure it is actually running

Thanks

[John Kondur]

I realize I should have put more details, 

I installed audit and followed directions here to setup a test  https://documentation.wazuh.com/current/user-manual/capabilities/system-calls-monitoring/audit-configuration.html

I created a file, and technically this should have been picked up by wazuh it shows up in /var/log/audit/audit.log, but never shows up in alerts.log, I do have this in ossec.conf

  <localfile>

    <log_format>audit</log_format>

    <location>/var/log/audit/audit.log</location>

  </localfile>

here are my rules :

auditctl  -l

-w /home -p w -k audit-wazuh-w

-w /home -p a -k audit-wazuh-a

-w /home -p r -k audit-wazuh-r

-w /home -p x -k audit-wazuh-x

and you can see audit log picks it up below

type=PATH msg=audit(1504028215.289:629953): item=0 name="/home" inode=24577 dev=ca:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT

type=PATH msg=audit(1504028215.289:629953): item=1 name="malware2.py" inode=8663 dev=ca:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE

but i never see it get sent to wazuh alerts.log

I am not sure what I am missing?

Thanks

[Pedro Sanchez]

Hi John,

Your configuration for Auditctl keys and Wazuh agent looks right, I am not sure if it is a regex issue coming from your Auditd version or it is related to not decoding and extracting the "key" field in Audit events.

I think you should enable archives setting in the Manager, extract a sample of the received Auditd events and paste it here. 

Be aware, enabling archive setting means log everything that is coming to the manager, it could generated thousand of events in minutes.

Open ossec.conf and enable logall setting (https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html?highlight=logall#logall):

<logall>yes</logall>

Let us know once you get some samples, we should expect something like this:

type=SYSCALL msg=audit(1479982525.380:50): arch=c000003e syscall=2 success=yes exit=3 a0=7ffedc40d83b a1=941 a2=1b6 a3=7ffedc40cce0 items=2 ppid=432 pid=3333 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="touch" exe="/bin/touch" key="audit-wazuh-w" type=CWD msg=audit(1479982525.380:50):  cwd="/var/log/audit" type=PATH msg=audit(1479982525.380:50): item=0 name="/var/log/audit/tmp_directory1/" inode=399849 dev=ca:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT type=PATH msg=audit(1479982525.380:50): item=1 name="/var/log/audit/tmp_directory1/malware.py" inode=399852 dev=ca:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE type=PROCTITLE msg=audit(1479982525.380:50): proctitle=746F756368002F7661722F6C6F672F61756469742F746D705F6469726563746F7279312F6D616C776172652E7079

Best regards,

Pedro.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/dedab10d-6419-4361-a66f-e2cfac1d63f0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.