Inconsistent info for Audit logs in Azure AD events

[Carlos Lopez]

Good morning,

I have enabled Azure AD Audit logs as explained here: https://documentation.wazuh.com/current/azure/activity-services/active-directory/index.html. But comparing the information with the Azure console, many events are missing.

For example, I can see only "Success" status, but nothing regarding "Failure" events .... and there are quite a few of them. I have revised azure_logs.log also, and no errors are showed.

is this a bug or do I need to enable something else?

Best regards,
C. L. Martinez

[Federico Gustavo Galland]

Hi Carlos,

If you are seeing some event information in the Wazuh Dashboard, but you are missing events you know are getting output, this is probably down to lacking decoders/rules for your particular use-case.

In order to know exactly what needs to be done to address this issue, you need to switch <logall_json> to "yes" within /var/ossec/etc/ossec.conf and restart the wazuh-manager service afterwards.

sed -i 's/logall_json>no/logall_json>yes/' /var/ossec/etc/ossec.conf

systemctl restart wazuh-manager

With this done, every incoming event that reaches the Wazuh Server will be logged to the /var/ossec/logs/archives/archives.json file. Depending on the size of your environment this could fill your storage space up pretty quickly, so make sure to disable this once you are done testing.

Now you can go ahead and trigger your Failure events on your Azure account. If the Azure configuration and Wazuh's integration part is set up properly, you should see json log lines starting to appear in the output of the following example command:

grep -i azure /var/ossec/logs/archives/archives.json

You may need to do some filtering until you find the failure logs you are looking for.

Using the json lines output from archives.json, you can build rules that will instruct Wazuh under which conditions to fire an Alert on your Wazuh Dashboard.

If you try the above procedure, you can share the pertinent output as a reply to this thread for us to review it and point you in the right direction regarding rule development.

Let us know how it goes.

Regards,

Federico Galland