Debian - wazuh agent no log reporting

924 views
Skip to first unread message

Stephen

unread,
Aug 13, 2018, 7:14:55 AM8/13/18
to Wazuh mailing list
Hi, I recently installed wazuh agent on a Debian system. I configured to log /var/log/auth.log and other files but I am not getting any alerts at all in my kibana/ES. It reports that the agent is connected, getting audit reports or file integrity changes. But it's not sending any reports about SSH access for example. 
Any thoughts on that? 
Thanks
Steve

Jesus Linares

unread,
Aug 13, 2018, 9:03:18 AM8/13/18
to Wazuh mailing list
Hi Stephen,

Please, check if the agent is monitoring the log files regarding the SSH access. You will find it in the localfile configuration:

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>


It is in the ossec.conf file (agent) or agent.conf file (manager).

Regards,

Stephen

unread,
Aug 13, 2018, 9:31:39 AM8/13/18
to Wazuh mailing list
Hi, Yes I do. See below: 
I use similar config on other Linux machine and it works perfectly fine but on this Debian. 

<ossec_config>
  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/nginx/access.log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/nginx/error.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/dpkg.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/dpkg.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/kern.log</location>
  </localfile>

</ossec_config>

Jesus Linares

unread,
Aug 13, 2018, 9:54:41 AM8/13/18
to Wazuh mailing list
Hi,

You can use the lsof command to know if the agent is reading the expected files (auth.log, messages, etc). If it is reading the files, you can debug the decoders/rules:
  • Run /var/ossec/bin/ossec-logtest and copy an event that should generate an alert.
  • You should see the fields extracted and the rule triggered. Only rules with level 3 or higher generate an alert by default.
Also, you can enable the log_all setting, and review the events in /var/ossec/logs/archives/archives.json.

If it is not reading the files, review the configuration, the ossec.log and restart it to be sure that the configuration is applied.
Reply all
Reply to author
Forward
0 new messages