Wazuh can not detect "Authentication success" on CentOS 7.x

[SelienK Max]

Hi all,

I just build lab Wazuh and 2 agent linux: CentOS 7.x and Ubuntu 18.x. I test rule detect Authentication SSH on 2 agent (failure and Sussess)

- CentOS: detect login failure --> OK, detect  Sussess --> nothing ?

- Ubuntu: detect both --> OK

What's problem on agent CentOS ? I dont change anything config, just use default

Log Wazuh for agent CentOS, just detect failure ssh

Log Wazuh for agent Ubuntu, detect both OK

[Mario Andres Ruiz Hernandez]

Hi,

let me do some research for you and I'll come back ok?

[Mario Andres Ruiz Hernandez]

Can you mention please the Wazuh version/deployment  you are using please?

[SelienK Max]

Hi  Mario.ruiz,

Thanks for your feedback.

Wazuh version :  Wazuh v4.3.10

CentOS:   CentOS Linux 7.9
Ubuntu:  Ubuntu 18.04.1 LTS

i just test FIM on wazuh. Agent CentOS can not run detect realtime (who-data), it's just run by schedule. But Ubuntu is OK. 

I think agent Ubuntu run well than CentOS 

Config FIM on CentOS and log on wazuh

Config FIM on Ubuntu:

Vào lúc 21:48:02 UTC+7 ngày Thứ Năm, 8 tháng 12, 2022, mario...@wazuh.com đã viết:

[Adam Sobieraj]

Hi

I have this problem too, CentOS 7.x stop working with Authentication (It was working, but after some Centos, Wazuh update it stop).

SSH auth is logged in /var/log/secure, wazuh-agent is see changes in /var/ossec/queue/logcollector/file_status.json

But at manager site (Agent->Stats), it not show any new events in /var/log/secure site.

Best regards

Adam Sobieraj

[Adam Sobieraj]

Hi

I have find problem why my wazuh-agent do not show auth events from /var/log/secure , the problem was rsyslogd.

I have some dead remote hosts in rsyslogd, and when i do lsof i have:
lsof |grep secure
wazuh-log 1448          root   10r      REG              253,2      40474     667434 /var/log/secure
wazuh-log 1448 1476     root   10r      REG              253,2      40474     667434 /var/log/secure
wazuh-log 1448 1486     root   10r      REG              253,2      40474     667434 /var/log/secure
wazuh-log 1448 1487     root   10r      REG              253,2      40474     667434 /var/log/secure
wazuh-log 1448 1488     root   10r      REG              253,2      40474     667434 /var/log/secure
wazuh-log 1448 1489     root   10r      REG              253,2      40474     667434 /var/log/secure
wazuh-log 1448 1490     root   10r      REG              253,2      40474     667434 /var/log/secure
wazuh-log 1448 1491     root   10r      REG              253,2      40474     667434 /var/log/secure

After remove dead remote hosts, the rsyslog start to send logs to /var/log/secure without delay..

wazuh-log 1448          root   10r      REG              253,2      40699     667434 /var/log/secure
wazuh-log 1448 1476     root   10r      REG              253,2      40699     667434 /var/log/secure
wazuh-log 1448 1486     root   10r      REG              253,2      40699     667434 /var/log/secure
wazuh-log 1448 1487     root   10r      REG              253,2      40699     667434 /var/log/secure
wazuh-log 1448 1488     root   10r      REG              253,2      40699     667434 /var/log/secure
wazuh-log 1448 1489     root   10r      REG              253,2      40699     667434 /var/log/secure
wazuh-log 1448 1490     root   10r      REG              253,2      40699     667434 /var/log/secure
wazuh-log 1448 1491     root   10r      REG              253,2      40699     667434 /var/log/secure
rsyslogd  2615          root    4w      REG              253,2      40699     667434 /var/log/secure
in:imjour 2615 2617     root    4w      REG              253,2      40699     667434 /var/log/secure
rs:main   2615 2618     root    4w      REG              253,2      40699     667434 /var/log/secure

Best regards

Adam Sobieraj