Monitor command execution from servers
196 views
Skip to first unread message
sang thanh
Oct 10, 2022, 4:39:27 AM10/10/22
to Wazuh mailing list
Hi guys,
I'm looking for the way to mornitor full commands which executed from the users in Linux.
I walk through this link but not sure it's collect all commands.
Can you give me the instruction or the link to do that.
Thanks
Jesus Linares
Oct 10, 2022, 5:34:52 AM10/10/22
to Wazuh mailing list
Hello,
The link that you mentioned is for executing commands in the agents remotely from the manager.
I think what you are looking for is this guide: https://documentation.wazuh.com/current/user-manual/capabilities/system-calls-monitoring/audit-configuration.html#monitoring-user-actions.
What we do is monitor system calls using auditd. For example, these auditd rules will audit all commands run by a user who has admin privileges:
- auditctl -a exit,always -F euid=0 -F arch=b64 -S execve -k audit-wazuh-c
- auditctl -a exit,always -F euid=0 -F arch=b32 -S execve -k audit-wazuh-c
The command is logged in /var/log/audit/audit.log and the Wazuh agent reads that file. Then, the manager will trigger an alert based on the corresponding decoders/rules.
Check the documentation for more information.
I hope it helps.
sang thanh
Oct 12, 2022, 4:20:32 AM10/12/22
to Wazuh mailing list
Understood, thank you so much.
Vào lúc 16:34:52 UTC+7 ngày Thứ Hai, 10 tháng 10, 2022, Jesus Linares đã viết:
Reply all
Reply to author
Forward
0 new messages