Sysmon and Auditd in Linux
365 views
Skip to first unread message
Dai Nguyen
Jul 13, 2023, 6:14:42 AM7/13/23
to Wazuh mailing list
I want to install sysmon and Auditd in Linux agent, how to do it?
Thank you!!
Thank you!!
Federico Rodriguez
Jul 13, 2023, 7:59:32 AM7/13/23
to Wazuh mailing list
Hi Dai Nguyen,
Here are a few resources to help you install Sysmon in Linux:
Hope it helps!
Here are a few resources to help you install Sysmon in Linux:
- Sysmon for Linux project
- Installation instructions
- Additional resource to integrate it with Wazuh
To install Auditd in Red Hat Enterprise Linux distributions, the auditd package is installed by default in version 7 and above. If it is not installed by default, the following command will do it:
sudo dnf install audit
auditd is not always operating on an openSUSE Leap system by default. However, the following command will enable it:
sudo systemctl enable auditd
Similarly, in Debian-based Linux distributions, you can install the latest version of auditd along with its relevant plugins using:
sudo apt-get install auditd audispd-plugins
sudo dnf install audit
auditd is not always operating on an openSUSE Leap system by default. However, the following command will enable it:
sudo systemctl enable auditd
Similarly, in Debian-based Linux distributions, you can install the latest version of auditd along with its relevant plugins using:
sudo apt-get install auditd audispd-plugins
Hope it helps!
Dai Nguyen
Jul 13, 2023, 10:10:49 PM7/13/23
to Wazuh mailing list
Hi,
I built debian packages according to this tutorial: Wazuh packages generation guide
I try to install wazuh with debian packages but I can not integrate sysmon and auditd when I run "dpkg -i wazuh.deb", I got "dpkg locked frontend " error because I'm trying to install auditd and sysmon in postinst script. I want to install sysmon and auditd automatically when I install debian packages. Is there a way to do this?
Thank you!
Vào lúc 18:59:32 UTC+7 ngày Thứ Năm, 13 tháng 7, 2023, Federico Rodriguez đã viết:
Federico Rodriguez
Jul 15, 2023, 6:24:48 AM7/15/23
to Wazuh mailing list
Hi Dai Nguyen,
Here are a few reasons why you are getting that error. There are 2 most likely reasons, which are not having permission to install the package or that another process has already locked frontend.
In case you have a custom post-install script, you can try adding the following verification in the script to wait until the lock is released:
while sudo lsof /var/lib/dpkg/lock-frontend ; do sleep 10; done;
It would be something like this
Hope it helps!
Here are a few reasons why you are getting that error. There are 2 most likely reasons, which are not having permission to install the package or that another process has already locked frontend.
In case you have a custom post-install script, you can try adding the following verification in the script to wait until the lock is released:
while sudo lsof /var/lib/dpkg/lock-frontend ; do sleep 10; done;
It would be something like this
Hope it helps!
Dai Nguyen
Jul 16, 2023, 8:52:28 AM7/16/23
to Wazuh mailing list
Hi,
I did that but it seems when I run "dpkg -i wazuh.deb", the post install script will be ran. In the post install script I run a script "install-sysmon.sh", in this script I use apt install to install sysmon.
This leads to an error "dpkg locked frontend". So is there a way to solve this problem?
Thank you!
Vào lúc 17:24:48 UTC+7 ngày Thứ Bảy, 15 tháng 7, 2023, Federico Rodriguez đã viết:
Reply all
Reply to author
Forward
0 new messages